RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Weijun Wang weijun.wang at oracle.com
Wed May 27 04:45:05 UTC 2015

Oh, not the last one. Here is a new one that uses String instead of 
CipherSuite.KeyExchange in the service interface. 1) below is thus resolved.



On 5/26/2015 11:32 AM, Weijun Wang wrote:
> This is the latest webrev of this bug
>     http://cr.openjdk.java.net/~weijun/8038089/webrev.06/
> No significant change from the previous one, mainly rebase.
> There are some issues which need changes inside JSSE. I'd like to file
> another bug for them.
> 1. JsseJce.java still uses core reflection to detect whether Kerberos
> support is available. It cannot call ClientKeyExchangeService.find()
> because there is a circular initialization problem between it and
> CipherSuite.
> 2. CipherSuite.java still contains hard coded krb5-related KeyExchange
> and CipherSuite values. These should be moved into plugin.
> Finally, a lot of you speak out that RFC 2712 is dead and we needn't
> support them. Thanks for the advice. However, this code change is mainly
> a refactoring of existing codes because in jdk9 we will have to separate
> TLS and Kerberos into different modules, and we cannot simply drop the
> feature.
> Thanks
> Max
> On 9/16/2014 9:31 AM, Wang Weijun wrote:
>> Hi Xuelei
>> Please review the latest code change at
>>     http://cr.openjdk.java.net/~weijun/8038089/webrev.04/
>> Compared with webrev.03, only the way the provider is loaded is
>> changed, which is the static block on lines 50-71 of Krb5Helper.java.
>> Thanks
>> Max

More information about the security-dev mailing list