[openssl-dev] Kerberos

[Tomas Mraz]

On Út, 2015-05-05 at 13:22 +0000, Technical Support wrote:
> Perhaps people use the --with-krb5-flavor=MIT config which is what we do, and we use itin all the time in 1.0.2.
> Ken

>       From: Matt Caswell <matt at openssl.org>
>  To: openssl-dev at openssl.org 
>  Sent: Tuesday, May 5, 2015 7:56 AM
>  Subject: Re: [openssl-dev] Kerberos
>    
> 
> 
> On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote:
> > What are the problems?
> 
> The code as it exists today is not compiled by default. I recently fixed
> a set of issues in master that had not been spotted simply because the
> code is not regularly compiled and used. One possible solution to that
> is to turn it on by default...but I think that is worse since it
> unnecessarily increases the attack surface for those that don't use it
> (the vast majority). As it turns out the "--with-krb5-include" Configure
> option has not been working correctly in 1.0.2 since it was
> released...but no-one noticed.
> 
> Due to the infrequency with which it is being used in practice this
> means that the code is not being kept up to date. There are some
> technical issues (including its use of single DES) which mean the
> existing solution is not fit-for-purpose. Viktor is probably better
> placed to elaborate on those.

Fedora and Red Hat Enterprise Linux openssl packages have the KRB5
support compiled in. I believe there are some customers that still use
it on older RHEL releases. On the other hand the current set of
supported ciphers does not make it useful for future use anymore so I do
not care much if it is removed from openssl master branch. If you
properly announce that the support will be removed unless anybody
provides patch adding support for current secure KRB5 algorithms, I am
OK with that.

Regards,
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)