Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8025123

SNI support in Kerberos cipher suites

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b112
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Description

      Let's consider the following configuration:

      1. There are two HTTPS sites at the same machine:

      https_service_1.test.machine
      https_service_2.test.machine

      2. KDC contains records for both HTTPS services:

      host/https_service_1.test.machine@TEST.REALM
      host/https_service_2.test.machine@TEST.REALM

      3. Client wants to request https_service_1.test.machine service, and it sends SNI host name 'https_service_1.test.machine' during handshaking.

      But currently TGS-REQ from client to KDC contains 'host/machine.name@TEST.REALM' service name, so SNI host names are not taken into account.

      I think there should be a way to set a service principal for TLS_KRB5 cipher suites. SNI host names could be used here.

        Attachments

          Activity

            People

            • Assignee:
              asmotrak Artem Smotrakov
              Reporter:
              asmotrak Artem Smotrakov
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: