Code review request: 8005523: Unbound krb5 for TLS
Xuelei Fan
xuelei.fan at oracle.com
Tue Apr 16 12:18:29 UTC 2013
On 4/16/2013 5:44 PM, Weijun Wang wrote:
>>
>> I am not sure how to do that. Can I just skip this check and whenever
>> subject != null always set resumingSession to true? This is not very
>> correct but is it possible to detect the mismatch later and "resume" the
>> full negotiation?
>>
No, it is dangerous. The server has to make the right decision while
parsing ClientHello.
Can you design a new Krb5Helper method to match the principals and
implement it in krb5/Krb5ProxyImpl.java. If it is a bound krb5, need to
match exactly; otherwise, the matching is performed per the request of
unbound krb5.
For unbound krb5, what's the return value of KerberosKey.getPrincipal()?
Is it a "*"? If it is always a "*", we also can check it in
ServerHandshake.java. I'm afraid it is not reliable so you won't
consider it.
>
> It seems the purpose of this check is that, if it fails, you can be sure
> that kerberos is not loaded so the full negotiation will try to find a
> RSA ciphersuite. Is that right?
>
It depends. The check is also can be used to prevent abused session
resuming. The following full negotiation acts like a new handshaking, so
the Kerberos cipher suite may be used again.
> I cannot call kerberos-specific codes in SSL because of module
> independence.
>
krb5/Krb5ProxyImpl.java? See above.
Xuelei
More information about the security-dev
mailing list