RFR 8130720: BadKDC1 failed again

Weijun Wang weijun.wang at oracle.com
Wed Jul 8 02:25:31 UTC 2015

Hi All

Please review the fix at


As the bug description [1] says, at this stage, when k1 and k2 are on, 
although the most likely output is 1212 (try #1 without preauth, 
succeeds; try #1 with preauth, succeed), the actual output we spotted in 
a test run 122212 (try #1 without preauth, timeout; try #2 without 
preauth, succeed; try #1 with preauth, succeed) is still possible.

It will be a mess to list all possible outputs because of possible 
timeout at each request and its different consequences. In the case, the 
list is "(12(12){1,2}|122232-)". The main reason I want to add a new 
output is that compare to 122232- (timeout at #1, timeout at #2, timeout 
at #3, fail at last), 122212 is much more likely to happen.


[1] https://bugs.openjdk.java.net/browse/JDK-8130720

More information about the security-dev mailing list