On Fri, 24 Sep 2021 21:38:39 GMT, Weijun Wang <[email protected]> wrote:
>> src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java
>> line 101:
>>
>>> 99: if (allowWeakCrypto) {
>>> 100: result[num++] = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD;
>>> 101: result[num++] = EncryptedData.ETYPE_ARCFOUR_HMAC;
>>
>> MIT still has arcfour-hmac-md5 in the enabled list - do you think there is
>> any reason (compatibility) we should do the same? Note that I think it is
>> better that we don't though. See "permitted_enctypes" at
>> https://web.mit.edu/Kerberos/krb5-1.19/doc/admin/conf_files/krb5_conf.html#libdefaults.
>
> This is because MIT krb5 treats DES as weak and RC4 as deprecated. In Java,
> we treat both as weak after JDK-8139348 (the title is "Deprecate 3DES and RC4
> in Kerberos" but this "deprecate" is not the same as the one in MIT krb5).
> This means when "allow_weak_crypto = true" we've already removed RC4. Since
> this code change is about removing weak etypes from the default
> "permitted_enctypes", we should be consistent.
Perhaps you meant "false" in the sentence below?
> when "allow_weak_crypto = true" we've already removed RC4.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5654
