[openssl-dev] Kerberos
Technical Support
support at securenetterm.com
Tue May 5 13:22:41 UTC 2015
Perhaps people use the --with-krb5-flavor=MIT config which is what we do, and we use itin all the time in 1.0.2.
Ken
InterSoft International, Inc.Phone: 888-823-1541Fax: 866-701-1260http://www.netterm.comhttp://www.securenetterm.com
From: Matt Caswell <matt at openssl.org>
To: openssl-dev at openssl.org
Sent: Tuesday, May 5, 2015 7:56 AM
Subject: Re: [openssl-dev] Kerberos
On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote:
> What are the problems?
The code as it exists today is not compiled by default. I recently fixed
a set of issues in master that had not been spotted simply because the
code is not regularly compiled and used. One possible solution to that
is to turn it on by default...but I think that is worse since it
unnecessarily increases the attack surface for those that don't use it
(the vast majority). As it turns out the "--with-krb5-include" Configure
option has not been working correctly in 1.0.2 since it was
released...but no-one noticed.
Due to the infrequency with which it is being used in practice this
means that the code is not being kept up to date. There are some
technical issues (including its use of single DES) which mean the
existing solution is not fit-for-purpose. Viktor is probably better
placed to elaborate on those.
Either we should invest in the effort to bring it up to a suitable
standard or we get rid of it. Given that (I believe) very few people are
using it, it seems more sensible to get rid of it. Part of the purpose
of my email was to gauge whether I was right that very few people are
using it.
Matt
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150505/aad880df/attachment-0001.html>
More information about the openssl-dev
mailing list