Uploaded image for project: 'Couchbase C client library libcouchbase'
  1. Couchbase C client library libcouchbase
  2. CCBC-1307

Cannot connect to external-auth clusters on non-TLS

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 3.0.4
    • 3.0.5
    • library
    • None
    • 1

    Description

      Due to the underlying requirements of LDAP external authentication, only PLAIN authentication is capable of using an externally defined user. To this end, in SDK 3.0, there was a safe-by-default heuristic devised to define the behaviour of an SDK with regards to authentication mechanism selection. The idea was that the SDK would have a predefined list of allowed mechanisms, and this would be matched to the servers list of mechanisms, and the most secure mechanism that existed in both lists would be selected. A part of this was that non-TLS and TLS connections would have a different set of predefined lists. TLS connections would contain only the PLAIN mechanism (since the server only has PLAIN on TLS anyways). Non-TLS connections would only contain SCRAM mechanisms (so we aren't as susceptible to downgrade attacks). Additionally, the user would be able to configured their own list of supported mechanisms. This means that by default, the SDK would never transmit user credentials over a non-TLS connection in PLAIN. Currently it appears that the C SDK has a block in place which makes it impossible for a user to force PLAIN usage over non-TLS connections, even purposefully (see: https://github.com/couchbase/libcouchbase/blob/12d8fcd63d1768525506358a4cb815400d051059/src/mcserver/negotiate.cc#L291-L293).

      The logic inside the C SDK should be modified such that:

      • Non-TLS connections should use (by default): SCRAM_SHA512, SCRAM_SHA256 or SCRAM_SHA1
      • TLS connections should use (by default): PLAIN
      • User-specified mechanism lists should be allowed, and permit the use of ANY mechanism (including PLAIN).

      Cheers, Brett

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            Build couchbase-server-7.0.0-4433 contains libcouchbase commit 2680473 with commit message:
            CCBC-1307: allow to select PLAIN mechanism for SASL

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.0-4433 contains libcouchbase commit 2680473 with commit message: CCBC-1307 : allow to select PLAIN mechanism for SASL

            People

              brett19 Brett Lawson
              brett19 Brett Lawson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty