[openssl-dev] Kerberos
Viktor Dukhovni
openssl-users at dukhovni.org
Sat May 9 06:14:46 UTC 2015
On Fri, May 08, 2015 at 10:57:10PM -0700, John Denker wrote:
>
> I don't understand what it means to say the feature "seems" rarely used.
> Is there any actual evidence about the number and/or importance of uses?
We don't need to ask the original question. The current Kerberos
support in OpenSSL SHOULD NOT be used, and support SHOULD be removed,
even if there are current users. They can stay with whatever
version of OpenSSL provides the feature at present, we won't
confiscate the code from them.
> For example:
>
> http://linuxsoft.cern.ch/cern/slc61/i386/yum/updates/repoview/krb5-pkinit-openssl.html
This is not in fact a use of the Kerberos cipher-suites in TLS.
Rather it is a use of Kerberos in which user passwords are replaced
with PKI smartcards or similar. It uses OpenSSL's libcrypto for
the PKI bits, but has nothing to do with TLS.
> > I plan to start preparing the patches to remove it next week.
>
> Why do we think that's worth the trouble?
This is unmaintained and largely unused code, whose functionality
is obsolete.
>
> I don't care about Kerberos directly, but it seems like a poor use of
> resources to worry about Kerberos while more pressing issues are left
> unaddressed.
Sorry, removing the code removes the cost of continuing to support
that code (even poorly), and removes any latent security issues in
that code.
Since this code is conditionally compiled, removing it is rather
easy. Just drop all the "#ifdef ... #endif" code blocks that
support the obsolete Kerberos ciphersuites.
--
Viktor.
More information about the openssl-dev
mailing list