RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Weijun Wang weijun.wang at oracle.com
Tue May 26 03:32:42 UTC 2015

This is the latest webrev of this bug


No significant change from the previous one, mainly rebase.

There are some issues which need changes inside JSSE. I'd like to file 
another bug for them.

1. JsseJce.java still uses core reflection to detect whether Kerberos 
support is available. It cannot call ClientKeyExchangeService.find() 
because there is a circular initialization problem between it and 

2. CipherSuite.java still contains hard coded krb5-related KeyExchange 
and CipherSuite values. These should be moved into plugin.

Finally, a lot of you speak out that RFC 2712 is dead and we needn't 
support them. Thanks for the advice. However, this code change is mainly 
a refactoring of existing codes because in jdk9 we will have to separate 
TLS and Kerberos into different modules, and we cannot simply drop the 


On 9/16/2014 9:31 AM, Wang Weijun wrote:
> Hi Xuelei
> Please review the latest code change at
>     http://cr.openjdk.java.net/~weijun/8038089/webrev.04/
> Compared with webrev.03, only the way the provider is loaded is changed, which is the static block on lines 50-71 of Krb5Helper.java.
> Thanks
> Max

More information about the security-dev mailing list