Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8274657

Remove default_checksum and safe_checksum_type from krb5.conf

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 18
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      File or wire format
    • Scope:
      Implementation

      Description

      Summary

      Remove support for default_checksum and safe_checksum_type settings in krb5.conf.

      Problem

      The default_checksum setting was introduced when DES was the only encryption type in Kerberos 5. Since then, new encryption types have been added and DES was deprecated by RFC 6649 in 2012. It's not enabled in OpenJDK unless a special allow_weak_crypto setting is set.

      safe_checksum_type was read but not never used by OpenJDK.

      MIT krb5 has already removed all settings around checksum types in 2019 with https://krbdev.mit.edu/rt/Ticket/Display.html?id=8804.

      Solution

      Do not read the settings anymore. The checksum type used in TGS-REQ (which was determined by default_checksum) will be derived from the encryption type.

      Specification

      In the "The Kerberos 5 GSS-API Mechanism" section of "Security Developers Guide" doc (jdk 17 version at https://docs.oracle.com/en/java/javase/17/security/kerberos-5-gss-api-mechanism.html), remove "ap_req_checksum_type", "default_checksum", and "safe_checksum_type" from the "The following parameters are supported" text box.

      Note: "ap_req_checksum_type" was also never used by OpenJDK and it does not appear in the code at all.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
              Reviewed By:
              Valerie Peng
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: