On 4/16/2013 5:44 PM, Weijun Wang wrote: >> >> I am not sure how to do that. Can I just skip this check and whenever >> subject != null always set resumingSession to true? This is not very >> correct but is it possible to detect the mismatch later and "resume" the >> full negotiation? >> No, it is dangerous. The server has to make the right decision while parsing ClientHello.
Can you design a new Krb5Helper method to match the principals and implement it in krb5/Krb5ProxyImpl.java. If it is a bound krb5, need to match exactly; otherwise, the matching is performed per the request of unbound krb5. For unbound krb5, what's the return value of KerberosKey.getPrincipal()? Is it a "*"? If it is always a "*", we also can check it in ServerHandshake.java. I'm afraid it is not reliable so you won't consider it. > > It seems the purpose of this check is that, if it fails, you can be sure > that kerberos is not loaded so the full negotiation will try to find a > RSA ciphersuite. Is that right? > It depends. The check is also can be used to prevent abused session resuming. The following full negotiation acts like a new handshaking, so the Kerberos cipher suite may be used again. > I cannot call kerberos-specific codes in SSL because of module > independence. > krb5/Krb5ProxyImpl.java? See above. Xuelei
