JDK-8016594 : Native Windows ccache still reads DES tickets
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows
  • CPU: x86
  • Submitted: 2013-06-13
  • Updated: 2014-06-06
  • Resolved: 2013-08-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u60Fixed 8 b105Fixed
Related Reports
Blocks :  
Relates :  
Description
External report:

BTW, this looks very sketchy to me:

http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/3c08c9ebd1fb/src/windows/native/sun/security/krb5/NativeCreds.c

Like it uses CacheRequest without memset()ing it to zero first.

And it doesn't support newer enctypes!
Comments
This fix is quite critical for clients using Windows 2008 as Active Directory server. Before the fix, Java always requests for a ticket with the DES session key no matter what the supported encryption types are. Depending on the server configuration, in some cases, DES session key is issued but DES is disabled by default in jdk8. In other cases, Windows could ignore the DES request and issue an AES-256 key. Unless unlimited strength crypto policy is installed, Java will not be able to use the AES-256 key and will throw an "illegal key size" error. After this fix, the strongest supported encryption type is requested (AES-128 by default, or AES-256 if unlimited strength crypto policy installed), the correct key will be issued.
20-12-2013

SQE is ok to take the fix in 7u60.
18-12-2013

Why there is no regression test in the fix? As there is no regression test SQE is investigating test coverage at the moment will approve/decline for 7u60 once test coverage/development needs situation is clear.
04-12-2013