Summary

Remove support for default_checksum and safe_checksum_type settings in krb5.conf.

Problem

The default_checksum setting was introduced when DES was the only encryption type in Kerberos 5. Since then, new encryption types have been added and DES was deprecated by RFC 6649 in 2012. It's not enabled in OpenJDK unless a special allow_weak_crypto setting is set.

safe_checksum_type was read but not never used by OpenJDK.

MIT krb5 has already removed all settings around checksum types in 2019 with https://krbdev.mit.edu/rt/Ticket/Display.html?id=8804.

Solution

Do not read the settings anymore. The checksum type used in TGS-REQ (which was determined by default_checksum) will be derived from the encryption type.

Specification

In the "The Kerberos 5 GSS-API Mechanism" section of "Security Developers Guide" doc (jdk 17 version at https://docs.oracle.com/en/java/javase/17/security/kerberos-5-gss-api-mechanism.html), remove "ap_req_checksum_type", "default_checksum", and "safe_checksum_type" from the "The following parameters are supported" text box.

Note: "ap_req_checksum_type" was also never used by OpenJDK and it does not appear in the code at all.