Hi, Max,
Changes look fine, here are some minor comments:
1) In EType.java, line 60, 64 should be indented w/ one extra space.
2) In EType.java, there should be comments added to "BUILTIN_ETYPES",
and "BUILTIN_ETYPES_NOAES256" mentioning about the first two entries are
removed when ALLOW_WEAK_CRYPTO is false.
3) In EType.java, line 235 and 236 still mentions these weak crypto
etypes regardless. Shouldn't it be updated?
Thanks,
Valerie
On 02/28/10 23:07, Max (Weijun) Wang wrote:
Hi Valerie
Can you please take a review on this fix?
http://cr.openjdk.java.net/~weijun/6844909/webrev.00
Basically, when "allow_weak_crypto = false" is set in krb5.conf's
[libdefaults], DES-related etypes will not be used. Note that this setting also removes
any weak etypes in the default_*_enctypes settings. This config was added in MIT's
krb5-1.7 and defaults to false in 1.8. However, for compatibility (which we care a lot in
Java), its default value is still true in Java.
Thanks
Max
*Change Request ID*: 6844909
*Synopsis*: support allow_weak_crypto in krb5.conf
=== *Description* ============================================================
Latest MIT krb5 supports a allow_weak_crypto key in krb5.conf, when set to
true, disallows DES be used in all kinds of etypes. We can support it also.
Currently, MIT krb5's default value for this key is false, but it might become
true one day.
It's true in 1.8 now.
*** (#1 of 1): 2009-05-26 03:50:36 GMT+00:00 [email protected]
