<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span></span></div><div></div><div id="yui_3_16_0_1_1430777369903_10875" dir="ltr">Perhaps people use the --with-krb5-flavor=MIT config which is what we do, and we use it</div><div id="yui_3_16_0_1_1430777369903_10915" dir="ltr">in all the time in 1.0.2.</div><div id="yui_3_16_0_1_1430777369903_10928" dir="ltr"><br></div><div id="yui_3_16_0_1_1430777369903_10929" dir="ltr">Ken</div><div id="yui_3_16_0_1_1430777369903_10930" dir="ltr"><br></div><div class="signature" id="yui_3_16_0_1_1430777369903_10877"><div id="yui_3_16_0_1_1430777369903_10916">InterSoft International, Inc.</div><div id="yui_3_16_0_1_1430777369903_10876">Phone: 888-823-1541</div><div id="yui_3_16_0_1_1430777369903_10878">Fax: 866-701-1260</div><div id="yui_3_16_0_1_1430777369903_10879"><a href="http://www.netterm.com/" target="_blank" rel="nofollow">http://www.netterm.com</a></div><div align="left" id="yui_3_16_0_1_1430777369903_10880"><a href="http://www.securenetterm.com/" target="_blank" rel="nofollow">http://www.securenetterm.com</a></div></div><br>  <div id="yui_3_16_0_1_1430777369903_10897" style="font-family: HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1430777369903_10896" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1430777369903_10895" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1430777369903_10931">  <font id="yui_3_16_0_1_1430777369903_10932" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Matt Caswell <matt@openssl.org><br> <b><span style="font-weight: bold;">To:</span></b> openssl-dev@openssl.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, May 5, 2015 7:56 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [openssl-dev] Kerberos<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1430777369903_10898"><br><br clear="none"><br clear="none">On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote:<br clear="none">> What are the problems?<br clear="none"><br clear="none">The code as it exists today is not compiled by default. I recently fixed<br clear="none">a set of issues in master that had not been spotted simply because the<br clear="none">code is not regularly compiled and used. One possible solution to that<br clear="none">is to turn it on by default...but I think that is worse since it<br clear="none">unnecessarily increases the attack surface for those that don't use it<br clear="none">(the vast majority). As it turns out the "--with-krb5-include" Configure<br clear="none">option has not been working correctly in 1.0.2 since it was<br clear="none">released...but no-one noticed.<br clear="none"><br clear="none">Due to the infrequency with which it is being used in practice this<br clear="none">means that the code is not being kept up to date. There are some<br clear="none">technical issues (including its use of single DES) which mean the<br clear="none">existing solution is not fit-for-purpose. Viktor is probably better<br clear="none">placed to elaborate on those.<br clear="none"><br clear="none">Either we should invest in the effort to bring it up to a suitable<br clear="none">standard or we get rid of it. Given that (I believe) very few people are<br clear="none">using it, it seems more sensible to get rid of it. Part of the purpose<br clear="none">of my email was to gauge whether I was right that very few people are<br clear="none">using it.<div class="qtdSeparateBR"><br><br></div><div class="yqt7263468354" id="yqtfd88378"><br clear="none"><br clear="none">Matt<br clear="none">_______________________________________________<br clear="none">openssl-dev mailing list<br clear="none">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" target="_blank" shape="rect">https://mta.openssl.org/mailman/listinfo/openssl-dev</a><br clear="none"></div><br><br></div> </div> </div>  </div></body></html>