RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Weijun Wang weijun.wang at oracle.com
Tue May 26 03:32:42 UTC 2015


This is the latest webrev of this bug

    http://cr.openjdk.java.net/~weijun/8038089/webrev.06/

No significant change from the previous one, mainly rebase.

There are some issues which need changes inside JSSE. I'd like to file 
another bug for them.

1. JsseJce.java still uses core reflection to detect whether Kerberos 
support is available. It cannot call ClientKeyExchangeService.find() 
because there is a circular initialization problem between it and 
CipherSuite.

2. CipherSuite.java still contains hard coded krb5-related KeyExchange 
and CipherSuite values. These should be moved into plugin.

Finally, a lot of you speak out that RFC 2712 is dead and we needn't 
support them. Thanks for the advice. However, this code change is mainly 
a refactoring of existing codes because in jdk9 we will have to separate 
TLS and Kerberos into different modules, and we cannot simply drop the 
feature.

Thanks
Max

On 9/16/2014 9:31 AM, Wang Weijun wrote:
> Hi Xuelei
>
> Please review the latest code change at
>
>     http://cr.openjdk.java.net/~weijun/8038089/webrev.04/
>
> Compared with webrev.03, only the way the provider is loaded is changed, which is the static block on lines 50-71 of Krb5Helper.java.
>
> Thanks
> Max
>


More information about the security-dev mailing list