答复: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout asmsec instead of sec
Xuelei Fan
xuelei.fan at oracle.com
Thu May 15 01:27:11 UTC 2014
On 5/14/2014 8:24 PM, Weijun Wang wrote:
>>> How is this unsafe, especially compared to if we don't fix it? The only
>>> bad thing is that if someone wants to set the timeout to be less than
>>> 120 ms, now there will be no way to do it. But that should never happen,
>>> right?
>>>
>> My concerns is that it might happen. 120ms is not a small number, and
>> 120s is not a big number in some circumstances.
>
> 120ms and 120s are possible values,
So it is really confusing to me that 119 will be treated as seconds, and
121 will be treated as milliseconds.
> but I doubt people will set them in
> krb5.conf.
>
I did not get your idea. People won't use kdc_timeout option at all?
>>
>> Alternatively, for better inerop, we can suggest to use explicit spec in
>> the configure instead of guess the what the spec is. Support two
>> default specs is really confusing.
>>
>
> Unless we drop kdc_timeout and invent a new key name, we will have to
> deal with the correctness (sec) and compatibility (msec) at the same
> time. Yes, we can suggest people always adding a unit, but it looks most
> people simply put a bare number there.
IMHO, just declare it as a known issue of Java is an alternative
approach I may prefer.
Is Java the only implementation to use milliseconds in the
configuration? Do we have public specification for the kdc_timeout
option? Or we just declare we follow the industry conversions? If Java
is the only vendor to use milliseconds wrongly, it may be OK to make the
correction in a major release (JDK 9?).
Xuelei
More information about the security-dev
mailing list