KRB5 (was Re: Code Review Request: TLS 1.3 Implementation)

Weijun Wang weijun.wang at oracle.com
Thu Jun 7 14:49:51 UTC 2018 


> On Jun 7, 2018, at 10:47 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> CipherSuite.java
> ----------------
> I think we may still want to have KRB5 cipher suite in the unsupported list, as we did for from line 455.
> 
> -    TLS_KRB5_WITH_3DES_EDE_CBC_SHA(
> -          0x001F, false, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "",
> -          ProtocolVersion.PROTOCOLS_TO_T12,
> -          K_KRB5, B_3DES, M_SHA, H_SHA256),
> +    TLS_KRB5_WITH_3DES_EDE_CBC_SHA("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", 0x001F),

Or

   CS_001F("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", 0x001F),

which matches the naming style of other unsupported CS.

--Max

> 
> I may prefer to have lines 545-549 (old lines) there as unsupported cipher suites.
> 
> Otherwise, looks fine to me.
> 
> Thanks,
> Xuelei
> 
> 
> On 6/7/2018 7:41 AM, Weijun Wang wrote:
>> Please take a review
>>   http://cr.openjdk.java.net/~weijun/9999999/webrev.more-krb5-cleanup/
>> --Max
>>> On Jun 7, 2018, at 10:24 PM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>> 
>>>> Yes, please KRB5 cipher suite from the supported list.
>>> Typo: Yes, please remove KRB5 cipher suite from the supported list.
>>> 
>>> On 6/7/2018 7:23 AM, Xuelei Fan wrote:
>>>> Yes, please KRB5 cipher suite from the supported list.
>>>> For the public APIs part, please leave it as it is before we deprecate the specification.  Some other JSSE provider might still support KRB5 cipher suites.
>>>> Xuelei
>>>> On 6/7/2018 1:45 AM, Weijun Wang wrote:
>>>>> And there are the Kerberos word in public APIs:
>>>>> 
>>>>> share/classes/javax/net/ssl/SSLContext.java
>>>>> 336:     * Some cipher suites (such as Kerberos) require remote hostname
>>>>> 366:     * Some cipher suites (such as Kerberos) require remote hostname
>>>>> 
>>>>> share/classes/javax/net/ssl/HttpsURLConnection.java
>>>>> 106:     * such as Kerberos, will throw an SSLPeerUnverifiedException.
>>>>> 130:     * such as Kerberos.
>>>>> 134:     * KerberosPrincipal for Kerberos cipher suites.
>>>>> 158:     * return null for non-certificate based ciphersuites, such as Kerberos.
>>>>> 162:     * KerberosPrincipal for Kerberos cipher suites. If no principal was
>>>>> 
>>>>> share/classes/javax/net/ssl/SSLContextSpi.java
>>>>> 90:     * Some cipher suites (such as Kerberos) require remote hostname
>>>>> 110:     * Some cipher suites (such as Kerberos) require remote hostname
>>>>> 
>>>>> share/classes/javax/net/ssl/SSLEngine.java
>>>>> 395:     * Some cipher suites (such as Kerberos) require remote hostname
>>>>> 397:     * constructor to use Kerberos.
>>>>> 
>>>>> share/classes/javax/net/ssl/SSLSession.java
>>>>> 221:     * such as Kerberos, will throw an SSLPeerUnverifiedException.
>>>>> 264:     * such as Kerberos, will throw an SSLPeerUnverifiedException.
>>>>> 295:     * KerberosPrincipal for Kerberos cipher suites.
>>>>> 313:     * KerberosPrincipal for Kerberos cipher suites. If no principal was
>>>>> 
>>>>> share/classes/javax/net/ssl/HandshakeCompletedEvent.java
>>>>> 122:     * such as Kerberos, will throw an SSLPeerUnverifiedException.
>>>>> 145:     * such as Kerberos, will throw an SSLPeerUnverifiedException.
>>>>> 178:     * KerberosPrincipal for Kerberos cipher suites.
>>>>> 208:     * KerberosPrincipal for Kerberos cipher suites. If no principal was
>>>>> 
>>>>> --Max
>>>>> 
>>>>>> On Jun 7, 2018, at 4:31 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>>>>> 
>>>>>> I still see K_KRB5 KeyExchange and TLS_KRB5_WITH_3DES_EDE_CBC_SHA etc in CipherSuite.java. Shall I also remove them.
>>>>>> 
>>>>>> Thanks
>>>>>> Max
>>>>>> 
>>>>>

More information about the security-dev mailing list