Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8274657

Remove default_checksum and safe_checksum_type from krb5.conf

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P4
    • 18
    • security-libs
    • None
    • behavioral
    • minimal
    • File or wire format
    • Implementation

    Description

      Summary

      Remove support for default_checksum and safe_checksum_type settings in krb5.conf.

      Problem

      The default_checksum setting was introduced when DES was the only encryption type in Kerberos 5. Since then, new encryption types have been added and DES was deprecated by RFC 6649 in 2012. It's not enabled in OpenJDK unless a special allow_weak_crypto setting is set.

      safe_checksum_type was read but not never used by OpenJDK.

      MIT krb5 has already removed all settings around checksum types in 2019 with https://krbdev.mit.edu/rt/Ticket/Display.html?id=8804.

      Solution

      Do not read the settings anymore. The checksum type used in TGS-REQ (which was determined by default_checksum) will be derived from the encryption type.

      Specification

      In the "The Kerberos 5 GSS-API Mechanism" section of "Security Developers Guide" doc (jdk 17 version at https://docs.oracle.com/en/java/javase/17/security/kerberos-5-gss-api-mechanism.html), remove "ap_req_checksum_type", "default_checksum", and "safe_checksum_type" from the "The following parameters are supported" text box.

      Note: "ap_req_checksum_type" was also never used by OpenJDK and it does not appear in the code at all.

      Attachments

        Issue Links

          Activity

            People

              weijun Weijun Wang
              weijun Weijun Wang
              Valerie Peng
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: