On 4/16/13 8:18 PM, Xuelei Fan wrote:
On 4/16/2013 5:44 PM, Weijun Wang wrote:
I am not sure how to do that. Can I just skip this check and whenever
subject != null always set resumingSession to true? This is not very
correct but is it possible to detect the mismatch later and "resume" the
full negotiation?
No, it is dangerous. The server has to make the right decision while
parsing ClientHello.
Can you design a new Krb5Helper method to match the principals and
implement it in krb5/Krb5ProxyImpl.java. If it is a bound krb5, need to
match exactly; otherwise, the matching is performed per the request of
unbound krb5.
I'll try.
For unbound krb5, what's the return value of KerberosKey.getPrincipal()?
Unbound krb5 has no KerberosKey, it only has KeyTab, and KeyTab.isBound
is false.
-Max
Is it a "*"? If it is always a "*", we also can check it in
ServerHandshake.java. I'm afraid it is not reliable so you won't
consider it.
It seems the purpose of this check is that, if it fails, you can be sure
that kerberos is not loaded so the full negotiation will try to find a
RSA ciphersuite. Is that right?
It depends. The check is also can be used to prevent abused session
resuming. The following full negotiation acts like a new handshaking, so
the Kerberos cipher suite may be used again.
I cannot call kerberos-specific codes in SSL because of module
independence.
krb5/Krb5ProxyImpl.java? See above.
Xuelei
