Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8025123

SNI support in Kerberos cipher suites

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b112
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Description

      Let's consider the following configuration:

      1. There are two HTTPS sites at the same machine:

      https_service_1.test.machine
      https_service_2.test.machine

      2. KDC contains records for both HTTPS services:

      host/https_service_1.test.machine@TEST.REALM
      host/https_service_2.test.machine@TEST.REALM

      3. Client wants to request https_service_1.test.machine service, and it sends SNI host name 'https_service_1.test.machine' during handshaking.

      But currently TGS-REQ from client to KDC contains 'host/machine.name@TEST.REALM' service name, so SNI host names are not taken into account.

      I think there should be a way to set a service principal for TLS_KRB5 cipher suites. SNI host names could be used here.

        Attachments

          Activity

            People

            Assignee:
            asmotrak Artem Smotrakov
            Reporter:
            asmotrak Artem Smotrakov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: