directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Default encryptionTypes for KdcServer
Date Mon, 16 Jan 2012 07:46:15 GMT
in default Java installation AES is not enabled, user has to copy the
unlimited cryptography extension jars
(US_export_policy.jar and local_policy.jar) to enable it. (which IMHO
is an annoyance for most developers and users alike)

On Sun, Jan 15, 2012 at 4:53 AM, Aleksander Adamowski
<aleksander.adamowski@olo.org.pl> wrote:
> On Sat, Jan 14, 2012 at 22:42, Kiran Ayyagari <kayyagari@apache.org> wrote:
>>  you can call kdcServer.setEncryptionTypes() (with an array or set of
>> EncryptionTypeS)
>>  note that, this method should be called from a non-static method
>> (typically from the setup method or the one having @Before annotation)
>>  calling it from static method might likely result in a null pointer exception.
>>
>>  Let me know if you have any issues
>
> Thanks, it works!
> How about making the default in KdcServer compatible with MIT
> library's defaults?
>
> I think it would be sufficient to change one constant
> org.apache.directory.server.kerberos.kdc.KdcServer#DEFAULT_ENCRYPTION_TYPES:
>
> diff --git a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
> b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
> index fa14a4c..0673014 100644
> --- a/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
> +++ b/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
> @@ -85,7 +85,7 @@ public class KdcServer extends DirectoryBackedService
>
>     /** The default encryption types */
>     private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
> -        { "des-cbc-md5" };
> +        { "aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96",
> "des3-cbc-sha1-kd", "des-cbc-md5" };
>
>     /** The default for allowing empty addresses */
>     private static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
>
> What do you think about that?
>
> Just in case, attaching a patch (attachment no. 0001).
>
> BTW, I've also found a suboptimal fragment in
> org.apache.directory.server.kerberos.kdc.KdcServer#prepareEncryptionTypes
> - sending a patch (attachment no. 0002).
>
> --
> Best Regards,
>   Aleksander Adamowski
>   http://olo.org.pl



-- 
Kiran Ayyagari

Mime
View raw message