United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6388659 krb5 shouldn't use an empty salt field in KRB_ERROR
JDK-6388659 : krb5 shouldn't use an empty salt field in KRB_ERROR

Details
Type:
Bug
Submit Date:
2006-02-22
Status:
Resolved
Updated Date:
2010-11-04
Project Name:
JDK
Resolved Date:
2006-03-23
Component:
security-libs
OS:
solaris_10
Sub-Component:
org.ietf.jgss:krb5
CPU:
sparc
Priority:
P4
Resolution:
Fixed
Affected Versions:
6
Fixed Versions:

Related Reports
Backport:
Backport:
Relates:
Relates:

Sub Tasks

Description
The salt field in the KRB-ERROR 25 (precisely, the salt in PA-ETYPE-INFO/2 as the edata field inside KRB-ERROR) is used by the server to suggest the correct salt. However, when connecting to a Windows Server with an encryption type the server does not support (like AES-128) it can be an empty string(""). When trying to renegotiate with the server, current Java code will use the empty string as the new salt and throws an Exception.

When the user does not explicitly specify encryption type in krb5.conf and try to connect to a Windows Server, this bug always shows.

                                    

Comments
EVALUATION

We used to ignore NULL PA-PW-SALT, it seems that empty PA-PW-SALT should also be ignored.
                                     
2006-02-22



Hardware and Software, Engineered to Work Together