-
Bug
-
Resolution: Fixed
-
P4
-
None
-
b143
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8325961 | openjdk8u412 | Alexey Bakhtin | P4 | Resolved | Fixed | b04 |
Java's DFL-style rcache uses MD5 hash, which is the same as krb5-1.14 and earlier. krb5-1.15 uses SHA256. If the same AP-REQ is sent to krb5-1.15 first (which creates a new rcache entry) and then sent to a Java acceptor, Java cannot find a match in the rcache file and accepts it.
Precisely, Java sees 2 entries there: 1st with SHA-256, 2nd the bare one. Java compares them to its own calculation and finds out 1) match the bare one 2) does not match the SHA-256 one, it then concludes the AP-REQ is a different one although sent at the same time.
Two solutions: 1) understand the SHA-256 entry and treat it as a match. 2) discard the SHA-256 entry and treat the bare one as a match.
Precisely, Java sees 2 entries there: 1st with SHA-256, 2nd the bare one. Java compares them to its own calculation and finds out 1) match the bare one 2) does not match the SHA-256 one, it then concludes the AP-REQ is a different one although sent at the same time.
Two solutions: 1) understand the SHA-256 entry and treat it as a match. 2) discard the SHA-256 entry and treat the bare one as a match.
- backported by
-
JDK-8325961 rcache interop with krb5-1.15
-
- Resolved
-
- relates to
-
JDK-8329544 [8u] sun/security/krb5/auto/ReplayCacheTestProc.java cannot find the testlibrary
-
- Resolved
-