Code review request: 8005523: Unbound krb5 for TLS

Weijun Wang weijun.wang at oracle.com
Mon Apr 1 06:16:07 PDT 2013


Ping again.

On 3/14/13 4:42 PM, Weijun Wang wrote:
> Hi Xuelei
>
> You might know that krb5 now supports unbound acceptor, which means if
> you set "principal=*" in an acceptor's JAAS login config file, it can
> serve as any service. The acceptor would read initiator's request, find
> out what the intended service name is, and then find a key for it from
> its keytab file.
>
> Currently TLS's krb5 ciphersuites must know the service principal at the
> beginning, it uses the info to read keys and then wait for incoming
> requests. This must be changed if it also want to be "unbound".
>
> I have a primitive patch here
>
>     http://cr.openjdk.java.net/~weijun/8005523/webrev.00
>
> You can see it gets a ServiceCreds instead of KerberosKey at the
> beginning. This ServiceCreds encapsulates keytabs and JAAS settings, and
> it can be used to find keys for any service name later.
>
> The fix is quite ugly. Especially, I make Handshaker public and pass it
> to KerberosClientKeyExchangeImpl so that its context can be used to
> check permissions. Is this necessary? I mean, is the context any
> different from the one inside KerberosClientKeyExchangeImpl?
>
> Thanks
> Max


More information about the security-dev mailing list