8139348: Deprecate 3DES and RC4 in Kerberos

[wangweij]

Deprecate des3-hmac-sha1 (etype 16) and rc4-hmac (etype 23). User can add "allow_weak_crypto = true" in krb5.conf to re-enable them (plus the DES-based etypes deprecated long ago).

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8139348: Deprecate 3DES and RC4 in Kerberos

Reviewers

• Sean Mullan (@seanjmullan - Reviewer) ⚠️ Review applies to 146bc47

Download

$ git fetch https://git.openjdk.java.net/jdk pull/2701/head:pull/2701
$ git checkout pull/2701

[bridgekeeper]

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[wangweij]

/csr

[openjdk]

@wangweij this pull request will not be integrated until the CSR request JDK-8262273 for issue JDK-8139348 has been approved.

[openjdk]

@wangweij The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 02: Full - Incremental (0e7a61d)
• 01: Full - Incremental (146bc47)
• 00: Full (1b2764f)

[seanjmullan]

Is there a test that checks that the weak algorithms are actually disabled? I wasn't sure if I saw anything or maybe that is another test that you didn't have to modify?

[seanjmullan]

I don't know if there are any rules or best practices about this, but I usually don't put a bugid on a test if it isn't specifically testing what this bug is about.

[wangweij]

OK, I'll remove it.

[wangweij]

Is there a test that checks that the weak algorithms are actually disabled? I wasn't sure if I saw anything or maybe that is another test that you didn't have to modify?

Yes there's one and I'll update it. I can also add all weak etypes into onlythree.conf and they should be ignored.

[wangweij]

Updated tests. There is a weakcrypto.conf file which has been useless for a long time since WeakCrypto.java generates krb5.conf on the fly.

[wangweij]

Please also review the release note at https://bugs.openjdk.java.net/browse/JDK-8262335.

[openjdk]

@wangweij This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8139348: Deprecate 3DES and RC4 in Kerberos

Reviewed-by: mullan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 25 new commits pushed to the master branch:

• c54724d: 8257234: Add gz option to SA jmap to write a gzipped heap dump
• aa35b42: 8261131: jcmd jmap dump should not accept gz option with no value
• ebdc80e: 8252883: AccessDeniedException caused by delayed file deletion on Windows
• f79c626: 8262296: Fix remaining doclint warnings in jdk.httpserver
• ea48a0b: 8262163: Extend settings printout in jcmd VM.metaspace
• a83e802: 8262299: C2 compilation fails with "modified node was not processed by IGVN.transform_old()"
• 0f8be6e: 8261868: Reduce inclusion of metaspace.hpp
• 3a0d6a6: 8262099: jcmd VM.metaspace should report unlimited size if MaxMetaspaceSize isn't specified
• a50725d: 8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
• 6549212: 8262315: missing ';' in generated entities
• ... and 15 more: https://git.openjdk.java.net/jdk/compare/d2b9c227e55defc37c0b0f6362637823ced6a220...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[wangweij]

/integrate

[openjdk]

@wangweij Since your change was applied there have been 29 commits pushed to the master branch:

• 5a9b701: 8258444: Clean up specifications of java.io.Reader.read(char[],int,int) in subclass overrides
• 7d4f60b: 8260403: javap should be more robust in the face of invalid class files
• 674be87: 8261203: Incorrectly escaped javadoc html with type annotations
• 2eca17d: 8261457: test/langtools/tools/javac/T8187978 can fail if ArrayList class is modified
• c54724d: 8257234: Add gz option to SA jmap to write a gzipped heap dump
• aa35b42: 8261131: jcmd jmap dump should not accept gz option with no value
• ebdc80e: 8252883: AccessDeniedException caused by delayed file deletion on Windows
• f79c626: 8262296: Fix remaining doclint warnings in jdk.httpserver
• ea48a0b: 8262163: Extend settings printout in jcmd VM.metaspace
• a83e802: 8262299: C2 compilation fails with "modified node was not processed by IGVN.transform_old()"
• ... and 19 more: https://git.openjdk.java.net/jdk/compare/d2b9c227e55defc37c0b0f6362637823ced6a220...master

Your commit was automatically rebased without conflicts.

Pushed as commit ded96dd.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.