Perhaps people use the --with-krb5-flavor=MIT config which is what we do, and we use itin all the time in 1.0.2. Ken InterSoft International, Inc.Phone: 888-823-1541Fax: 866-701-1260http://www.netterm.comhttp://www.securenetterm.com From: Matt Caswell <m...@openssl.org> To: openssl-dev@openssl.org Sent: Tuesday, May 5, 2015 7:56 AM Subject: Re: [openssl-dev] Kerberos
On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote: > What are the problems? The code as it exists today is not compiled by default. I recently fixed a set of issues in master that had not been spotted simply because the code is not regularly compiled and used. One possible solution to that is to turn it on by default...but I think that is worse since it unnecessarily increases the attack surface for those that don't use it (the vast majority). As it turns out the "--with-krb5-include" Configure option has not been working correctly in 1.0.2 since it was released...but no-one noticed. Due to the infrequency with which it is being used in practice this means that the code is not being kept up to date. There are some technical issues (including its use of single DES) which mean the existing solution is not fit-for-purpose. Viktor is probably better placed to elaborate on those. Either we should invest in the effort to bring it up to a suitable standard or we get rid of it. Given that (I believe) very few people are using it, it seems more sensible to get rid of it. Part of the purpose of my email was to gauge whether I was right that very few people are using it. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev