答复: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout asmsec instead of sec

Weijun Wang weijun.wang at oracle.com
Thu May 15 01:41:09 UTC 2014 


On 5/15/2014 9:27, Xuelei Fan wrote:
> On 5/14/2014 8:24 PM, Weijun Wang wrote:
>>>> How is this unsafe, especially compared to if we don't fix it? The only
>>>> bad thing is that if someone wants to set the timeout to be less than
>>>> 120 ms, now there will be no way to do it. But that should never happen,
>>>> right?
>>>>
>>> My concerns is that it might happen. 120ms is not a small number, and
>>> 120s is not a big number in some circumstances.
>>
>> 120ms and 120s are possible values,
> So it is really confusing to me that 119 will be treated as seconds, and
> 121 will be treated as milliseconds.

This is unfortunate, we can document it.

>
>> but I doubt people will set them in
>> krb5.conf.
>>
> I did not get your idea.  People won't use kdc_timeout option at all?

No, what I mean is people is not likely to set these values as 
kdc_timeout. If someone sets it to 120ms it means he does not want to 
wait more than that and would rather switch to another KDC or fail. That 
looks too impatient. If someone sets it to 120s, that is a too long time 
for me. In general, 3 sec to 30 sec sounds sane.

>
>>>
>>> Alternatively, for better inerop, we can suggest to use explicit spec in
>>> the configure instead of guess the what the spec is.  Support two
>>> default specs is really confusing.
>>>
>>
>> Unless we drop kdc_timeout and invent a new key name, we will have to
>> deal with the correctness (sec) and compatibility (msec) at the same
>> time. Yes, we can suggest people always adding a unit, but it looks most
>> people simply put a bare number there.
> IMHO, just declare it as a known issue of Java is an alternative
> approach I may prefer.
>
> Is Java the only implementation to use milliseconds in the
> configuration?  Do we have public specification for the kdc_timeout
> option?  Or we just declare we follow the industry conversions?  If Java
> is the only vendor to use milliseconds wrongly, it may be OK to make the
> correction in a major release (JDK 9?).

We should be the only one using msec.

Java SE have a public spec saying the default value is 30000, that 
implies we uses msec. Oracle has other doc claiming it's msec:

   http://docs.oracle.com/cd/E19728-01/820-2550/activedir_auth.html

If we just change to sec it is a big compatibility issue. User won't 
notice any error report expect finding their app runs much slower.

Thanks
Max

>
> Xuelei
>

More information about the security-dev mailing list