Code review request: 8025123: SNI support in Kerberos cipher suites

[Artem]

Hello,

please review this fix for 8:

http://cr.openjdk.java.net/~kshefov/8025123/webrev.00/ 
<http://cr.openjdk.java.net/%7Ekshefov/8025123/webrev.00/>
https://bugs.openjdk.java.net/browse/JDK-8025123

SNI APIs were introduced in JDK 8, but TLS Kerberos client 
implementation does not take into account SNI host name when it requests 
TGS.

For example, there are two HTTPS sites at the same machine:

https_service_1.test.machine
https_service_2.test.machine

KDC contains records for both HTTPS services:

host/https_service_1.test.machine at TEST.REALM
host/https_service_2.test.machine at TEST.REALM

Client wants to request 'https_service_1.test.machine' service, and it 
sets SNI host name 'https_service_1.test.machine' during handshaking. 
Currently TLS Kerberos client implementation requests TGS for 
'host/test.machine at TEST.REALM' instead of 
'host/https_service_1.test.machine at TEST.REALM'

Changes:
- ClientHandshaker uses SNI host name if it is specified.
- If client gets server name extension in server hello then it is 
considered as SNI confirmation, so SNI hostname must be used to build 
Kerberos service principal name. If there is no SNI confirmation, client 
uses SNI first and then fallback to getHostSE().
- KerberosClientKeyExchangeImpl.getServiceTicket() method used to change 
a hostname for service principal if loopback address was used. But since 
we introduced SNI, using IP address to make the decision does not work 
any more. For compatibility reasons, the method checks that "localhost" 
or "localhost.localdomain" are passed (they are two known loopback 
hostname). If so, it still tries to get the local hostname.
- Added a test case for test/sun/security/krb5/auto/SSL.java

I have tested this with available reg/jck/sqe tests, no issues found.

Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130930/8e5a77ca/attachment.htm>