RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Xuelei Fan xuelei.fan at oracle.com
Wed May 27 08:50:31 UTC 2015 

src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java
----------------------
- } else if (keyExchange == K_KRB5 || keyExchange == K_KRB5_EXPORT) {
+ } else if (ClientKeyExchangeService.find(keyExchange.name) != null) {

ClientKeyExchangeService is a pretty common name.
"ClientKeyExchangeService.find(keyExchange.name)" does not sound like it
is for KRB5 only at present.  For some similar update in this fix, the
code reader may be confusing if he/she does not know the history of this
fix.  Would you mind add a comment like "For external KRB5 cipher suite
at present"?

src/java.base/share/classes/sun/security/ssl/JsseJce.java
-----------------
-     kerberosAvailable = p != null;
+     kerberosAvailable = (p != null);

Easier to read.

Otherwise, looks fine to me.

Xuelei

On 5/27/2015 12:45 PM, Weijun Wang wrote:
> Oh, not the last one. Here is a new one that uses String instead of
> CipherSuite.KeyExchange in the service interface. 1) below is thus
> resolved.
> 
>    http://cr.openjdk.java.net/~weijun/8038089/webrev.07/
> 
> Thanks
> Max
> 
> On 5/26/2015 11:32 AM, Weijun Wang wrote:
>> This is the latest webrev of this bug
>>
>>     http://cr.openjdk.java.net/~weijun/8038089/webrev.06/
>>
>> No significant change from the previous one, mainly rebase.
>>
>> There are some issues which need changes inside JSSE. I'd like to file
>> another bug for them.
>>
>> 1. JsseJce.java still uses core reflection to detect whether Kerberos
>> support is available. It cannot call ClientKeyExchangeService.find()
>> because there is a circular initialization problem between it and
>> CipherSuite.
>>
>> 2. CipherSuite.java still contains hard coded krb5-related KeyExchange
>> and CipherSuite values. These should be moved into plugin.
>>
>> Finally, a lot of you speak out that RFC 2712 is dead and we needn't
>> support them. Thanks for the advice. However, this code change is mainly
>> a refactoring of existing codes because in jdk9 we will have to separate
>> TLS and Kerberos into different modules, and we cannot simply drop the
>> feature.
>>
>> Thanks
>> Max
>>
>> On 9/16/2014 9:31 AM, Wang Weijun wrote:
>>> Hi Xuelei
>>>
>>> Please review the latest code change at
>>>
>>>     http://cr.openjdk.java.net/~weijun/8038089/webrev.04/
>>>
>>> Compared with webrev.03, only the way the provider is loaded is
>>> changed, which is the static block on lines 50-71 of Krb5Helper.java.
>>>
>>> Thanks
>>> Max
>>>

More information about the security-dev mailing list