Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8038089

TLS optional support for Kerberos cipher suites needs to be re-examined

XMLWordPrintable

        TLS has optional support for Kerberos cipher suites. The current implementation uses Class.forName to load the Kerberos classes and will support the extended cipher suites if the classes are present.

        sun.security.ssl.JsseJce
           ->sun.security.krb5.PrincipalName

        sun.security.ssl.KerberosClientKeyExchange
           ->sun.security.ssl.krb5.KerberosClientKeyExchangeImpl

        sun.security.ssl.Krb5Helper
           ->sun.security.ssl.krb5.Krb5ProxyImpl

        The current solution works well for Compact Profiles in JDK 8 but will be problematic in JDK 9 when we have modules. With modules then TLS will probably be in the base module and it is likely that Kerberos will be in its own module and will not export the module-private krb5 classes (see jake forest for current module graph).

        This bug requests that the current implementation be re-examined and the reflection solution eliminated if possible. One approach to examine is using ServiceLoader so that the Kerberos module includes a service provider that TLS can use if present.

              weijun Weijun Wang
              alanb Alan Bateman
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: