TLS has optional support for Kerberos cipher suites. The current implementation uses Class.forName to load the Kerberos classes and will support the extended cipher suites if the classes are present.

sun.security.ssl.JsseJce
   ->sun.security.krb5.PrincipalName

sun.security.ssl.KerberosClientKeyExchange
   ->sun.security.ssl.krb5.KerberosClientKeyExchangeImpl

sun.security.ssl.Krb5Helper
   ->sun.security.ssl.krb5.Krb5ProxyImpl

The current solution works well for Compact Profiles in JDK 8 but will be problematic in JDK 9 when we have modules. With modules then TLS will probably be in the base module and it is likely that Kerberos will be in its own module and will not export the module-private krb5 classes (see jake forest for current module graph).

This bug requests that the current implementation be re-examined and the reflection solution eliminated if possible. One approach to examine is using ServiceLoader so that the Kerberos module includes a service provider that TLS can use if present.