Due to the underlying requirements of LDAP external authentication, only PLAIN authentication is capable of using an externally defined user. To this end, in SDK 3.0, there was a safe-by-default heuristic devised to define the behaviour of an SDK with regards to authentication mechanism selection. The idea was that the SDK would have a predefined list of allowed mechanisms, and this would be matched to the servers list of mechanisms, and the most secure mechanism that existed in both lists would be selected. A part of this was that non-TLS and TLS connections would have a different set of predefined lists. TLS connections would contain only the PLAIN mechanism (since the server only has PLAIN on TLS anyways). Non-TLS connections would only contain SCRAM mechanisms (so we aren't as susceptible to downgrade attacks). Additionally, the user would be able to configured their own list of supported mechanisms. This means that by default, the SDK would never transmit user credentials over a non-TLS connection in PLAIN. Currently it appears that the C SDK has a block in place which makes it impossible for a user to force PLAIN usage over non-TLS connections, even purposefully (see: https://github.com/couchbase/libcouchbase/blob/12d8fcd63d1768525506358a4cb815400d051059/src/mcserver/negotiate.cc#L291-L293).
The logic inside the C SDK should be modified such that:
- Non-TLS connections should use (by default): SCRAM_SHA512, SCRAM_SHA256 or SCRAM_SHA1
- TLS connections should use (by default): PLAIN
- User-specified mechanism lists should be allowed, and permit the use of ANY mechanism (including PLAIN).
|For Gerrit Dashboard: CCBC-1307|
|135902,4||CCBC-1307: allow to select PLAIN mechanism for SASL||master||libcouchbase||Status: MERGED||+2||+1|