RFR: 8273670: Remove weak etypes from default krb5 etype list
Weijun Wang
weijun at openjdk.java.net
Sat Sep 25 01:30:53 UTC 2021
On Fri, 24 Sep 2021 22:06:27 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> This is because MIT krb5 treats DES as weak and RC4 as deprecated. In Java, we treat both as weak after JDK-8139348 (the title is "Deprecate 3DES and RC4 in Kerberos" but this "deprecate" is not the same as the one in MIT krb5). This means when "allow_weak_crypto = true" we've already removed RC4. Since this code change is about removing weak etypes from the default "permitted_enctypes", we should be consistent.
>
> Perhaps you meant "false" in the sentence below?
>
>> when "allow_weak_crypto = true" we've already removed RC4.
Yes. Typo.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5654
More information about the security-dev
mailing list