Re: 答复: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout asmsec instead of sec

Wed, 14 May 2014 05:25:30 -0700 


On 5/14/2014 15:19, Xuelei Fan wrote:

On 5/14/2014 2:04 PM, Weijun Wang wrote:

What do you mean by detecting the platform? So if I find the file is
also used by NetBSD krb5 then I treat it as second and if not
millisecond?

Yes.


That's quite impossible. In my opinion, it all depends on
how the writer is educated, Java or some else.


The spec should be clear, and the writer should be well educated.  It
cannot be a condition to update the implementation that the write is not
educated.


How is this unsafe, especially compared to if we don't fix it? The only
bad thing is that if someone wants to set the timeout to be less than
120 ms, now there will be no way to do it. But that should never happen,
right?


My concerns is that it might happen. 120ms is not a small number, and
120s is not a big number in some circumstances.



120ms and 120s are possible values, but I doubt people will set them in 
krb5.conf.




Alternatively, for better inerop, we can suggest to use explicit spec in
the configure instead of guess the what the spec is.  Support two
default specs is really confusing.




Unless we drop kdc_timeout and invent a new key name, we will have to 
deal with the correctness (sec) and compatibility (msec) at the same 
time. Yes, we can suggest people always adding a unit, but it looks most 
people simply put a bare number there.


--Max


Xuelei


My comment in the bug mentions we can support "5s", but then I realize
it does not really solve the unit-less case.

Thanks
Max
------------------------------------------------------------------------
发件人: Xuelei Fan
发送时间: 2014/5/14 13:21
收件人: security-dev@openjdk.java.net
主题: Re: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout
asmsec instead of sec

This does not sound like a safe update to me.  Is it possible to
detected the actual kdc_timeout spec (for example, using the known
platform) of the underlying configuration?

Xuelei


On 5/14/2014 8:38 AM, Weijun Wang wrote:
 > Please review the code changes at
 >
 >     http://cr.openjdk.java.net/~weijun/8036779/webrev.00/
 >
 > The problem is that Java treats kdc_timeout as milliseconds but others
 > (NetBSD here) might treat it as seconds. With this code change,
when the
 > number is <= 120, it's seconds, otherwise, milliseconds.
 >
 > One exception would be that someone thinking NetBSD style could set it
 > to 999 for a "maximum" timeout but the final result is less than 1
 > second. In that case, we should advise him/her to set it to 99999999.
 >
 > Thanks
 > Max

























					Reply via email to