[8u] TLSv1.3 RFR: 8245474: Add TLS_KRB5 cipher suites support according to RFC-2712
Martin Balao
mbalao at redhat.com
Mon Jul 20 20:33:52 UTC 2020
Hi Alexey,
Thanks for your feedback.
On 7/17/20 5:32 PM, Alexey Bakhtin wrote:
> 1. You have updated the list of classes in the sun/security/ssl/krb5 package.
> These classes are the bridge to JGSS/KRB5 implementation. The compact
> profile 1 does not include JGSS/KRB5 implementation, so build scripts
> verifies references to removed packages. Exceptions are described in the
> make/data/checkdeps/refs.allowed script. This script should be updated
> with new class names. Otherwise it fails during profiles creation.
Well spotted! Should be fixed in Webrev.03.
> 2. Three kerberos test failed because of server can not select KRB5 cipher suite.
> It happens because of server principal name is not specified (it’s allowed behaviour).
> As result implementation does not create possession and corresponding cipher suite
> is not selected. I suggest to create possession even if no serverPrincipal returned,
> similar to original implementation.
> The code could be update like following in the KrbKeyExchange.java:
> @@ -91,7 +91,6 @@ final class KrbKeyExchange {
> }
> return null;
> }
> - return new KrbServiceCreds(serviceCreds);
> }
> }
> } catch (PrivilegedActionException e) {
> @@ -100,8 +99,9 @@ final class KrbKeyExchange {
> SSLLogger.fine("Attempt to obtain Kerberos key failed: "
> + e.toString());
> }
> + return null;
> }
> - return null;
> + return (serviceCreds != null)?new KrbServiceCreds(serviceCreds):null;
> }
> }
Hmm.. interesting. You're right: I took the extra license of discarding
the ciphersuite if serverPrincipal is null. This does not reflect the
previous behavior in ServerHandshaker::setupKerberosKeys method
(ServerHandshaker.java). Should be fixed in Webrev.03.
Webrev.03:
http://cr.openjdk.java.net/~mbalao/webrevs/8245474/8245474.webrev.03/
Look forward to more feedback.
Thanks,
Martin.-
More information about the jdk8u-dev
mailing list