https://bz.apache.org/bugzilla/show_bug.cgi?id=65302
--- Comment #1 from Michael Osipov <micha...@apache.org> --- Why? I did several reviews of the ticket when it was discussed with security-dev@. The only SASL mech supporting this is GSSAPI and you can request GSS-API to completely encrypt your traffic with Kerberos (auth-conf), no TLS necessary. SSPI offers other mechs besides GSSAPI to use channel binding (Digest MD5 which is dead). This is a case (auth-conf) even MS considers to be secure and no need to enforce TLS channel binding. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org