Kerberos Cipher Suites
In SDK Version 8, the IBMJSSE2 provider has support for
Kerberos cipher suites, as described in RFC 2712. The following cipher
suites are supported but not enabled by default.
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
To
enable use of these cipher suites, you must do so explicitly. See SSLEngine.setEnabledCipherSuites()
and SSLSocket.setEnabledCipherSuites()
for more information. As with all
other SSL or TLS cipher suites, if a cipher suite is not supported by the peer, then it won't be
selected during cipher negotiation. Furthermore, if the application and/or server cannot acquire the
necessary Kerberos credentials, then the Kerberos cipher suites also will not be selected. Here is an example of a TLS client that wants to use only the
TLS_KRB5_WITH_DES_CBC_SHA
cipher suite.
// Create socket
SSLSocketFactory sslsf = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslSocket = (SSLSocket) sslsf.createSocket(tlsServer, serverPort);
// Enable only one cipher suite
String enabledSuites[] = { "TLS_KRB5_WITH_DES_CBC_SHA" };
sslSocket.setEnabledCipherSuites(enabledSuites);