答复: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout asmsec instead of sec

Weijun Wang weijun.wang at oracle.com
Wed May 14 06:04:29 UTC 2014


What do you mean by detecting the platform? So if I find the file is also used by NetBSD krb5 then I treat it as second and if not millisecond? That's quite impossible. In my opinion, it all depends on how the writer is educated, Java or some else.

How is this unsafe, especially compared to if we don't fix it? The only bad thing is that if someone wants to set the timeout to be less than 120 ms, now there will be no way to do it. But that should never happen, right?

My comment in the bug mentions we can support "5s", but then I realize it dies not really solve the unit-less case.

Thanks
Max

-----原始邮件-----
发件人: Xuelei Fan
发送时间: 2014/5/14 13:21
收件人: security-dev at openjdk.java.net
主题: Re: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout asmsec instead of sec

This does not sound like a safe update to me.  Is it possible to 
detected the actual kdc_timeout spec (for example, using the known 
platform) of the underlying configuration?

Xuelei


On 5/14/2014 8:38 AM, Weijun Wang wrote:
> Please review the code changes at
>
>     http://cr.openjdk.java.net/~weijun/8036779/webrev.00/
>
> The problem is that Java treats kdc_timeout as milliseconds but others
> (NetBSD here) might treat it as seconds. With this code change, when the
> number is <= 120, it's seconds, otherwise, milliseconds.
>
> One exception would be that someone thinking NetBSD style could set it
> to 999 for a "maximum" timeout but the final result is less than 1
> second. In that case, we should advise him/her to set it to 99999999.
>
> Thanks
> Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140514/5517b0b6/attachment.htm>


More information about the security-dev mailing list