LdapCtxt:

2568     /**

2569      * Sets the read timeout value

2570      */

2571     private void setChannelBindingType(String cbTypeProp) {


Not sure if that javadoc is the right one? And I also wonder if enforcing the 
timeout is needed, and if yes if it should be documented why. Was not obvious 
to me,


what about having two type names (TlsChannelBindingType.TLS_SERVER_END_POINT 
and TlsChannelBindingType.TLS_SERVER_END_POINT_COMPAT?)


This could be configured as a SASL property and it would add the benefit that 
you don't need the instance specific if in the gssstub native code if you 
instead have two different types values?


Gruss

Bernd

________________________________
Von: security-dev <security-dev-boun...@openjdk.java.net> im Auftrag von Alexey 
Bakhtin <ale...@azul.com>
Gesendet: Mittwoch, Mai 27, 2020 11:43 AM
An: Valerie Peng
Cc: security-...@openjdk.java.net; core-libs-dev@openjdk.java.net; Thomas Maslen
Betreff: Re: RFR: 8245527: LDAP Cnannel Binding support for Java GSS/Kerberos

Hello Valerie, Unfortunately, Windows LDAP server with 
LdapEnforceChannelBinding=2 does not accept GSS_C_AF_NULLADDR address type. 
This is exact reason of these changes. I ve tried to fix inconsistency of 
address type value in the latest webrev: 
http://cr.openjdk.java.net/~abakhtin/8245527/webrev.v2/

Reply via email to