RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory

Michael Osipov duke at openjdk.org
Thu Aug 21 18:49:52 UTC 2025


On Thu, 21 Aug 2025 18:38:19 GMT, Weibing Xiao <wxiao at openjdk.org> wrote:

> I can not revert the previous change. It will close the unused sockets in JVM before next GC to clean them.

I see.

> Once simple fix in application cod for this NPE is increasing buffer size by setting javax.security.sasl.maxbuffer in the context to overwrite the hard coded buffer size in AbstractSaslImpl.java.

No, that will not solve the problem here at all. Active Directory does not support auth-int/-conf on a TLS wrapped connection. It sends a message to notify the client. The client (Java JNDI) does not know this and reads the first bytes assuming the SASL buffer size, but it is a non-wrapped message. I can provide pcaps, if you like.

> This NPE is more or less related to the timing. The context was cleared earlier than output stream got flush, but the later code is actually running earlier, but completed later.

Yes, but how will this change solve the problem? Do you intend to add another PR to address it?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3211715276


More information about the security-dev mailing list