<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([SSF]) appears to be a broadly interpreted value within some [SASL] implementations.

[We|ContactUs] can find No definition has been found in any [RFC].

!! [Oracle][1]
[SSF], the [{$pagename}], indicates the strength of the [SASL] protection. If the mechanism supports a security layer, the client and server negotiate the [SSF]. The value of the [SSF] is based on the security properties that were specified before the [SASL] negotiation. If a non-zero [SSF] is negotiated, both client and server need to use the mechanism's security layer when the authentication has completed.

SSF is represented by an integer with one of the following values:
* 0 – No protection.
* 1 – Integrity checking only.
* &gt;1 – Supports authentication, integrity and confidentiality. The number represents the encryption key length.

The [confidentiality] and [integrity] operations are performed by the security mechanism. libsasl coordinates these requests.

!! [OpenLDAP][2]
[OpenLDAP] has multiple SSFs.  For each session, there is one for [SASL], one for [TLS], etc., and an overall session [SSF] (the greatest [SSF] of any particular layer).

From slapd.conf(5): an integer approximate to effective key length used for encryption. 
* 0 (zero) implies no protection,
* 1 implies integrity protection only,
* 56 allows [DES] or other weak ciphers,
* 112 allows [triple DES] and other strong ciphers,
* 128 allows [RC4], [Blowfish] and other modern strong ciphers.

[SASL]/EXTERNAL, itself, provides no security layers.There may be protections provided by lower layers (like [TLS]) and, if so, these are reflected in [SSF] associated with the particular layer providing the protection as well as the overall [SSF].[2]

!! [389 Directory Server][3]
[389 Directory Server] allows setting Minimum SSF Usage within [ACIs], but the calculation of [{$pagename}] was not shown.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [SASL Security Strength Factor|https://docs.oracle.com/cd/E23824_01/html/819-2145/sasl.intro.20.html|target='_blank'] - based on information obtained 2016-09-05
* [#2] - [Re: Security Strength Factor|http://www.openldap.org/lists/openldap-software/200212/msg00380.html|target='_blank'] - based on information obtained 2016-09-05
</pre>