On 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

[Alan Bateman]

On 21/07/2014 09:22, Wang Weijun wrote:
> Please review the updated webrev at
>
>    http://cr.openjdk.java.net/~weijun/8038089/webrev.01
>
> Some comment changes. Some arguments rearrangement between classes.
>
> The interface is still in sun.security.ssl. It will be easy to move it to somewhere else later. When module is introduced, we may need to export the interface from java.base to java.security.jgss.
>
I'm skimmed over the changes (not a detailed review yet) and just want 
to check one thing - would I be correct to say that this isn't a general 
solution for plugging in addition cipher suites, the ServiceLoader usage 
in Krb5Helper looks specifically for a provider that supports 
TLS_KRB5_XXX from what I can establish.

One other thing about the ServiceLoader usage in Krb5Helper is that it's 
using the one-arg load method, hence the TCCL will be used to locate the 
cipher suite providers. As the provider is cached system-wide then I 
assume you meant to specify the system class loader here.

The profiles build currently uses a simple dependency checker to ensure 
that there aren't any dependencies in a compact N build on something 
that is in a larger profile or the JRE. It allows a few exceptions, due 
to the need to keep jsse.jar and these are maintained in 
jdk/make/data/checkdeps/refs.allowed. I think this file will need to be 
updated to drop references to classes that no longer exist.

A minor comment is that the new files are missing a copyright header, I 
assume you'll fix that up before pushing.

-Alan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140721/7c1e09dc/attachment.htm>