[security-dev 01658]: Re: Code review request: 6844909: support allow_weak_crypto in krb5.conf

Valerie Peng Yu-Ching.Peng at Sun.COM
Tue Mar 2 00:59:43 UTC 2010 

Hi, Max,

Looks good, no further comments.
Thanks,
Valerie

On 03/01/10 16:54, Max (Weijun) Wang wrote:
> Hi Valerie
>
> Thanks! All suggestions accepted.
>
> Webrev updated at http://cr.openjdk.java.net/~weijun/6844909/webrev.01
>
> Thanks again
> Max
>
>
> On Mar 2, 2010, at 8:44 AM, Valerie Peng wrote:
>
>   
>> Hi, Max,
>>
>> Changes look fine, here are some minor comments:
>> 1) In EType.java, line 60, 64 should be indented w/ one extra space.
>> 2) In EType.java, there should be comments added to "BUILTIN_ETYPES", and "BUILTIN_ETYPES_NOAES256" mentioning about the first two entries are removed when ALLOW_WEAK_CRYPTO is false.
>> 3) In EType.java, line 235 and 236 still mentions these weak crypto etypes regardless. Shouldn't it be updated?
>>
>> Thanks,
>> Valerie
>> On 02/28/10 23:07, Max (Weijun) Wang wrote:
>>     
>>> Hi Valerie
>>>
>>> Can you please take a review on this fix?
>>>
>>>    
>>> http://cr.openjdk.java.net/~weijun/6844909/webrev.00
>>>
>>>
>>> Basically, when "allow_weak_crypto = false" is set in krb5.conf's [libdefaults], DES-related etypes will not be used. Note that this setting also removes any weak etypes in the default_*_enctypes settings. This config was added in MIT's krb5-1.7 and defaults to false in 1.8. However, for compatibility (which we care a lot in Java), its default value is still true in Java.
>>>
>>> Thanks
>>> Max
>>>
>>>
>>>   
>>>
>>>       
>>>> *Change Request ID*: 6844909
>>>>
>>>> *Synopsis*: support allow_weak_crypto in krb5.conf
>>>>
>>>>
>>>> === *Description* ============================================================
>>>> Latest MIT krb5 supports a allow_weak_crypto key in krb5.conf, when set to true, disallows DES be used in all kinds of etypes. We can support it also.
>>>>
>>>> Currently, MIT krb5's default value for this key is false, but it might become true one day.
>>>>
>>>>     
>>>>
>>>>         
>>> It's true in 1.8 now.
>>>
>>>   
>>>
>>>       
>>>> *** (#1 of 1): 2009-05-26 03:50:36 GMT+00:00 weijun.wang at sun.com
>>>>
>>>>     
>>>>
>>>>         
>>>   
>>>
>>>       
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20100301/460269f5/attachment.htm>

More information about the security-dev mailing list