On 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
Alan Bateman
Alan.Bateman at oracle.com
Mon Jul 21 15:09:55 UTC 2014
On 21/07/2014 09:22, Wang Weijun wrote:
> Please review the updated webrev at
>
> http://cr.openjdk.java.net/~weijun/8038089/webrev.01
>
> Some comment changes. Some arguments rearrangement between classes.
>
> The interface is still in sun.security.ssl. It will be easy to move it to somewhere else later. When module is introduced, we may need to export the interface from java.base to java.security.jgss.
>
I'm skimmed over the changes (not a detailed review yet) and just want
to check one thing - would I be correct to say that this isn't a general
solution for plugging in addition cipher suites, the ServiceLoader usage
in Krb5Helper looks specifically for a provider that supports
TLS_KRB5_XXX from what I can establish.
One other thing about the ServiceLoader usage in Krb5Helper is that it's
using the one-arg load method, hence the TCCL will be used to locate the
cipher suite providers. As the provider is cached system-wide then I
assume you meant to specify the system class loader here.
The profiles build currently uses a simple dependency checker to ensure
that there aren't any dependencies in a compact N build on something
that is in a larger profile or the JRE. It allows a few exceptions, due
to the need to keep jsse.jar and these are maintained in
jdk/make/data/checkdeps/refs.allowed. I think this file will need to be
updated to drop references to classes that no longer exist.
A minor comment is that the new files are missing a copyright header, I
assume you'll fix that up before pushing.
-Alan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140721/7c1e09dc/attachment.htm>
More information about the security-dev
mailing list