RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Wang Weijun weijun.wang at oracle.com
Wed Sep 17 05:49:42 UTC 2014

> I would prefer we do it now.  If I did not miss something, the new design should be more simple
> and straightforward.

Maybe, but I am not sure since this would surely touch more TLS side codes. If you want to be totally separated, we also need to move the ciphersuites definitions outside CipherSuite.java. The TLS side can iterate through all providers to add them back and create something like a Map<keyExchangeAlg, KeyExchangeService>. Then we could use this map in all "switch (keyExchange)" blocks.

Do you think it's easier to make these changes based on the current codes? Or based on my modified codes?

Can you describe the KeyExchangeService interface you are thinking about? Currently I have to define a two-level interface -- ExternalCipherSuiteProvider and ExternalCipherSuiteProvider.Exchanger -- to model the service and the exchange instance.


More information about the security-dev mailing list