[8u] TLSv1.3 RFR: 8245474: Add TLS_KRB5 cipher suites support according to RFC-2712

Alexey Bakhtin alexey at azul.com
Fri Jul 17 20:32:19 UTC 2020 

Hello Martin,

Thank you for updated review
It looks much cleaner then my version.

I didn’t finish review yet but I was able to build and test it with sun/security/ssl/krb5/auto jtreg tests

For now I’ve found just two issues:
1. You have updated the list of classes in the sun/security/ssl/krb5 package.
    These classes are the bridge to JGSS/KRB5 implementation. The compact
     profile 1 does not include JGSS/KRB5 implementation, so build scripts
     verifies references to removed packages. Exceptions are described in the
     make/data/checkdeps/refs.allowed script. This script should be updated
      with new class names. Otherwise it fails during profiles creation.
2. Three kerberos test failed because of server can not select KRB5 cipher suite.
     It happens because of server principal name is not specified (it’s allowed behaviour).
     As result implementation does not create possession and corresponding cipher suite
     is not selected. I suggest to create possession even if no serverPrincipal returned,
     similar to original implementation.
     The code could be update like following in the KrbKeyExchange.java:
@@ -91,7 +91,6 @@ final class KrbKeyExchange {
                             }
                             return null;
                         }
-                        return new KrbServiceCreds(serviceCreds);
                     }
                 }
             } catch (PrivilegedActionException e) {
@@ -100,8 +99,9 @@ final class KrbKeyExchange {
                     SSLLogger.fine("Attempt to obtain Kerberos key failed: "
                             + e.toString());
                 }
+                return null;
             }
-            return null;
+            return (serviceCreds != null)?new KrbServiceCreds(serviceCreds):null;
         }
     }

With these changes all sun/security/ssl/krb5/auto test passed.

Regards
Alexey


> On 15 Jul 2020, at 03:28, Martin Balao <mbalao at redhat.com> wrote:
> 
> On 7/6/20 5:45 PM, Martin Balao wrote:
>> 
>> Oh, good point! Hmm... let me give this some more thought, because I
>> still find it confusing.
>> 
> 
> Hi,
> 
> I'd like to propose Webrev.02:
> 
> * http://cr.openjdk.java.net/~mbalao/webrevs/8245474/8245474.webrev.02/
>

More information about the jdk8u-dev mailing list