Remove support for
safe_checksum_type settings in
default_checksum setting was introduced when DES was the only encryption type in Kerberos 5. Since then, new encryption types have been added and DES was deprecated by RFC 6649 in 2012. It's not enabled in OpenJDK unless a special
allow_weak_crypto setting is set.
safe_checksum_type was read but not never used by OpenJDK.
MIT krb5 has already removed all settings around checksum types in 2019 with https://krbdev.mit.edu/rt/Ticket/Display.html?id=8804.
Do not read the settings anymore. The checksum type used in TGS-REQ (which was determined by
default_checksum) will be derived from the encryption type.
In the "The Kerberos 5 GSS-API Mechanism" section of "Security Developers Guide" doc (jdk 17 version at https://docs.oracle.com/en/java/javase/17/security/kerberos-5-gss-api-mechanism.html), remove "ap_req_checksum_type", "default_checksum", and "safe_checksum_type" from the "The following parameters are supported" text box.
Note: "ap_req_checksum_type" was also never used by OpenJDK and it does not appear in the code at all.