Code review request: 8005523: Unbound krb5 for TLS
Weijun Wang
weijun.wang at oracle.com
Thu Mar 14 08:42:54 UTC 2013
Hi Xuelei
You might know that krb5 now supports unbound acceptor, which means if
you set "principal=*" in an acceptor's JAAS login config file, it can
serve as any service. The acceptor would read initiator's request, find
out what the intended service name is, and then find a key for it from
its keytab file.
Currently TLS's krb5 ciphersuites must know the service principal at the
beginning, it uses the info to read keys and then wait for incoming
requests. This must be changed if it also want to be "unbound".
I have a primitive patch here
http://cr.openjdk.java.net/~weijun/8005523/webrev.00
You can see it gets a ServiceCreds instead of KerberosKey at the
beginning. This ServiceCreds encapsulates keytabs and JAAS settings, and
it can be used to find keys for any service name later.
The fix is quite ugly. Especially, I make Handshaker public and pass it
to KerberosClientKeyExchangeImpl so that its context can be used to
check permissions. Is this necessary? I mean, is the context any
different from the one inside KerberosClientKeyExchangeImpl?
Thanks
Max
More information about the security-dev
mailing list