RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec

Xuelei Fan Xuelei.Fan at Oracle.COM
Wed May 14 05:21:12 UTC 2014


This does not sound like a safe update to me.  Is it possible to 
detected the actual kdc_timeout spec (for example, using the known 
platform) of the underlying configuration?

Xuelei


On 5/14/2014 8:38 AM, Weijun Wang wrote:
> Please review the code changes at
>
>     http://cr.openjdk.java.net/~weijun/8036779/webrev.00/
>
> The problem is that Java treats kdc_timeout as milliseconds but others
> (NetBSD here) might treat it as seconds. With this code change, when the
> number is <= 120, it's seconds, otherwise, milliseconds.
>
> One exception would be that someone thinking NetBSD style could set it
> to 999 for a "maximum" timeout but the final result is less than 1
> second. In that case, we should advise him/her to set it to 99999999.
>
> Thanks
> Max




More information about the security-dev mailing list