RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec
Xuelei Fan
Xuelei.Fan at Oracle.COM
Wed May 14 05:21:12 UTC 2014
This does not sound like a safe update to me. Is it possible to
detected the actual kdc_timeout spec (for example, using the known
platform) of the underlying configuration?
Xuelei
On 5/14/2014 8:38 AM, Weijun Wang wrote:
> Please review the code changes at
>
> http://cr.openjdk.java.net/~weijun/8036779/webrev.00/
>
> The problem is that Java treats kdc_timeout as milliseconds but others
> (NetBSD here) might treat it as seconds. With this code change, when the
> number is <= 120, it's seconds, otherwise, milliseconds.
>
> One exception would be that someone thinking NetBSD style could set it
> to 999 for a "maximum" timeout but the final result is less than 1
> second. In that case, we should advise him/her to set it to 99999999.
>
> Thanks
> Max
More information about the security-dev
mailing list