On Út, 2015-05-05 at 13:22 +0000, Technical Support wrote: > Perhaps people use the --with-krb5-flavor=MIT config which is what we do, and > we use itin all the time in 1.0.2. > Ken
> From: Matt Caswell <m...@openssl.org> > To: openssl-dev@openssl.org > Sent: Tuesday, May 5, 2015 7:56 AM > Subject: Re: [openssl-dev] Kerberos > > > > On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote: > > What are the problems? > > The code as it exists today is not compiled by default. I recently fixed > a set of issues in master that had not been spotted simply because the > code is not regularly compiled and used. One possible solution to that > is to turn it on by default...but I think that is worse since it > unnecessarily increases the attack surface for those that don't use it > (the vast majority). As it turns out the "--with-krb5-include" Configure > option has not been working correctly in 1.0.2 since it was > released...but no-one noticed. > > Due to the infrequency with which it is being used in practice this > means that the code is not being kept up to date. There are some > technical issues (including its use of single DES) which mean the > existing solution is not fit-for-purpose. Viktor is probably better > placed to elaborate on those. Fedora and Red Hat Enterprise Linux openssl packages have the KRB5 support compiled in. I believe there are some customers that still use it on older RHEL releases. On the other hand the current set of supported ciphers does not make it useful for future use anymore so I do not care much if it is removed from openssl master branch. If you properly announce that the support will be removed unless anybody provides patch adding support for current secure KRB5 algorithms, I am OK with that. Regards, -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev