On Fri, 24 Sep 2021 19:33:12 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> This code change removes weak etypes from the default list so it's safer to >> enable one of them. See the corresponding CSR at >> https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, >> please review the CSR as well. > > src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java > line 101: > >> 99: if (allowWeakCrypto) { >> 100: result[num++] = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD; >> 101: result[num++] = EncryptedData.ETYPE_ARCFOUR_HMAC; > > MIT still has arcfour-hmac-md5 in the enabled list - do you think there is > any reason (compatibility) we should do the same? Note that I think it is > better that we don't though. See "permitted_enctypes" at > https://web.mit.edu/Kerberos/krb5-1.19/doc/admin/conf_files/krb5_conf.html#libdefaults. This is because MIT krb5 treats DES as weak and RC4 as deprecated. In Java, we treat both as weak after JDK-8139348 (the title is "Deprecate 3DES and RC4 in Kerberos" but this "deprecate" is not the same as the one in MIT krb5). This means when "allow_weak_crypto = true" we've already removed RC4. Since this code change is about removing weak etypes from the default "permitted_enctypes", we should be consistent. ------------- PR: https://git.openjdk.java.net/jdk/pull/5654
