[openssl-dev] Kerberos

Douglas E Engert deengert at gmail.com
Sat May 9 12:21:32 UTC 2015 


On 5/9/2015 12:57 AM, John Denker wrote:
> On 05/05/2015 01:21 AM, Matt Caswell wrote:
>
>> I am considering removing Kerberos support from OpenSSL 1.1.0. There are
>> a number of problems with the functionality as it stands, and it seems
>> to me to be a very rarely used feature.
>
> I don't understand what it means to say the
> feature "seems" rarely used.  Is there any
> actual evidence about the number and/or
> importance of uses?
>
>>   I'm interested in hearing any
>> opinions on this (either for or against).
>
> Opinions are not a good substitute for actual
> evidence.
>
> This thread has revealed that some people on
> this list would prefer something else, but
> that leaves unanswered (and almost unasked)
> the question of whether Kerberos is actually
> being used.
>
> Personally I don't use it, but that does not
> come close to answering the question.  A few
> moments of googling suggest that some people
> are using Kerberos in conjunction with openssl.
> For example:
>    http://linuxsoft.cern.ch/cern/slc61/i386/yum/updates/repoview/krb5-pkinit-openssl.html

That refers to the use of the OpenSSL crypto libraries to provide PKI functions needed
to support the PKINIT protocols. PKINIT uses PKI for a pre-authentication data element
as part of the Kerberos AS-REQ. PKINIT is used by Windows Active Directory and unix versions
of Kerberos for smart card login to the AD or KDC.

https://tools.ietf.org/html/rfc4556

It has nothing to do with the SSL/TLS protocols using Kerberos.

I too have never used the Kerberos with the SSL protocol. Time marches on,
DES is deprecated and not used in Kerberos, SSL is being replaced by TLS,
and these change have not been reflected in the standards used for the OpenSSL Kerberos code.

I have worked with Jeff ALtman and Nico Williams in IETF working groups and they are the experts in
the use of GSS and Kerberos.

>
>> I plan to start preparing the patches to remove it next week.
>
> Why do we think that's worth the trouble?
>
> What evidence is there that removal won't
> cause problems?  It's hard to prove a negative,
> and the recent discussions on this list don't
> even come close.
>
> I don't care about Kerberos directly, but it
> seems like a poor use of resources to worry
> about Kerberos while more pressing issues are
> left unaddressed.

Misuse of the older Kerberos code in OpenSSL with SSL is not as secure as one might think.
Removing the code might be the best thing that could happen.

>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> .
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the openssl-dev mailing list