On 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
Xuelei Fan
xuelei.fan at oracle.com
Thu Jul 17 04:35:37 UTC 2014
On 7/16/2014 4:41 PM, Wang Weijun wrote:
> Hi Xuelei
>
> A *primitive* version of webrev available at
>
> http://cr.openjdk.java.net/~weijun/8038089/webrev.00
>
> Please confirm this is the way you like it.
>
I have not read too much about the details of the update. But looks
like it is in the right way.
> ExternalCipherSuite is the service interface and Krb5CipherSuite implements it. It's a modification of the old Krb5Proxy but I've moved as many as Kerberos-related codes to the implementation side so it has less methods now.
>
> Most likely we will define this new interface in a public package.
>
If krb5 is the only external implementation of TLS cipher suites, I
think, we may want to try the best not to define public interface if
possible.
Thanks,
Xuelei
> I didn't touch any core SSL classes except for ClientHandshaker and ServerHandShaker. If you think there are other places too closely connected with kerberos, please let me know.
>
> Ideally, those
>
> case K_KRB5: case K_KRB5_EXPORT:
> Krb5Helper.doXXX(...):
>
> should be something like
>
> default:
> getExternalHelper(keyExchange).doXXX(...)
>
> but I guess we won't do that unless we know there will be a second implementation.
>
> Thanks
> Max
>
>
>
>
>
>
More information about the security-dev
mailing list