RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
Xuelei Fan
xuelei.fan at oracle.com
Wed Sep 17 05:58:29 UTC 2014
On 9/17/2014 1:49 PM, Wang Weijun wrote:
>> I would prefer we do it now. If I did not miss something, the new design should be more simple
>> and straightforward.
>
> Maybe, but I am not sure since this would surely touch more TLS side codes. If you want to be totally separated, we also need to move the ciphersuites definitions outside CipherSuite.java. The TLS side can iterate through all providers to add them back and create something like a Map<keyExchangeAlg, KeyExchangeService>. Then we could use this map in all "switch (keyExchange)" blocks.
>
> Do you think it's easier to make these changes based on the current codes? Or based on my modified codes?
>
> Can you describe the KeyExchangeService interface you are thinking about? Currently I have to define a two-level interface -- ExternalCipherSuiteProvider and ExternalCipherSuiteProvider.Exchanger -- to model the service and the exchange instance.
>
OK, I will wrap up my ideas of the KeyExchangeService. But it may take a
few more days. Wish I could get it ready by next Monday.
Thanks,
Xuelei
More information about the security-dev
mailing list