[security-dev 01652]: Code review request: 6844909: support allow_weak_crypto in krb5.conf

Max (Weijun) Wang Weijun.Wang at Sun.COM
Sun Feb 28 23:07:27 PST 2010

Hi Valerie

Can you please take a review on this fix?


Basically, when "allow_weak_crypto = false" is set in krb5.conf's [libdefaults], DES-related etypes will not be used. Note that this setting also removes any weak etypes in the default_*_enctypes settings. This config was added in MIT's krb5-1.7 and defaults to false in 1.8. However, for compatibility (which we care a lot in Java), its default value is still true in Java.


> *Change Request ID*: 6844909
> *Synopsis*: support allow_weak_crypto in krb5.conf
> === *Description* ============================================================
> Latest MIT krb5 supports a allow_weak_crypto key in krb5.conf, when set to true, disallows DES be used in all kinds of etypes. We can support it also.
> Currently, MIT krb5's default value for this key is false, but it might become true one day.
It's true in 1.8 now.

> *** (#1 of 1): 2009-05-26 03:50:36 GMT+00:00 weijun.wang at sun.com

More information about the security-dev mailing list