-
Bug
-
Resolution: Fixed
-
P3
-
8
-
b96
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8222761 | 7u241 | Sean Coffey | P3 | Resolved | Fixed | b01 |
| JDK-8223094 | 7u231 | Sean Coffey | P3 | Resolved | Fixed | b03 |
| JDK-8240025 | openjdk7u | Andrew Hughes | P3 | Resolved | Fixed | master |
After the change for disabling DES-related etypes, JAAS login fails at the test fails with NPE.
Test Configuration :
-------------------------
SEAM instance SEAM.THREE.COM was used
Client side krb5.conf has
default_tkt_enctypes=des-cbc-md5
default_tgs_enctypes=des-cbc-md5
permitted_enctypes=des-cbc-md5
does not have allow_weak_crypto = true
At this point a meaningful error message
like "Failure unspecified at GSS-API level (Mechanism level: Encryption type DES CBC mode with CRC-32 is not supported/enabled)"
is expected.
Instead a NPE is obtained
javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.internal.KDCReqBody.asn1Encode(KDCReqBody.java:251)
at sun.security.krb5.internal.KDCReq.asn1Encode(KDCReq.java:203)
at sun.security.krb5.KrbAsReq.encoding(KrbAsReq.java:145)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:765)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:616)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:491)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
at Server.main(Server.java:670)
If krb5.conf in the clientside is modified to include "allow_weak_crypto = true"
login happens
Test Configuration :
-------------------------
SEAM instance SEAM.THREE.COM was used
Client side krb5.conf has
default_tkt_enctypes=des-cbc-md5
default_tgs_enctypes=des-cbc-md5
permitted_enctypes=des-cbc-md5
does not have allow_weak_crypto = true
At this point a meaningful error message
like "Failure unspecified at GSS-API level (Mechanism level: Encryption type DES CBC mode with CRC-32 is not supported/enabled)"
is expected.
Instead a NPE is obtained
javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.internal.KDCReqBody.asn1Encode(KDCReqBody.java:251)
at sun.security.krb5.internal.KDCReq.asn1Encode(KDCReq.java:203)
at sun.security.krb5.KrbAsReq.encoding(KrbAsReq.java:145)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:765)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:616)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:491)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
at Server.main(Server.java:670)
If krb5.conf in the clientside is modified to include "allow_weak_crypto = true"
login happens
- backported by
-
JDK-8222761 JAAS/Krb5LoginModule using des encytypes failure with NPE after JDK-8012679
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
JDK-8012679 Let allow_weak_crypto default to false
-
- Closed
-