From nobody Tue Aug 26 13:05:23 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cB7F26SLSz65XQv for ; Tue, 26 Aug 2025 13:05:26 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [138.201.35.217]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4cB7F212Cbz3CVn for ; Tue, 26 Aug 2025 13:05:26 +0000 (UTC) (envelope-from crest@rlwinm.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 138.201.35.217 as permitted sender) smtp.mailfrom=crest@rlwinm.de Received: from [IPV6:2003:fc:d715:3000:7118:232f:9374:dfa] (p200300fcd71530007118232f93740dfa.dip0.t-ipconnect.de [IPv6:2003:fc:d715:3000:7118:232f:9374:dfa]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 3BCCA11A9 for ; Tue, 26 Aug 2025 13:05:24 +0000 (UTC) Message-ID: <31931c62-b125-4b28-b2df-b8f3e741d2bd@rlwinm.de> Date: Tue, 26 Aug 2025 15:05:23 +0200 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: August 2025 stabilization week To: freebsd-current@freebsd.org References: <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> Content-Language: en-US From: Jan Bramkamp In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: / X-Spamd-Result: default: False [-0.54 / 15.00]; NEURAL_SPAM_LONG(0.99)[0.988]; NEURAL_HAM_MEDIUM(-0.81)[-0.813]; NEURAL_HAM_SHORT(-0.42)[-0.418]; R_SPF_ALLOW(-0.20)[+mx:c]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:24940, ipnet:138.201.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; DMARC_NA(0.00)[rlwinm.de]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1] X-Rspamd-Queue-Id: 4cB7F212Cbz3CVn On 26.08.25 06:25, Rick Macklem wrote: > On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem wrote: >> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans wrote: >>> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca. >>> >>> On 8/25/25 07:53, Gleb Smirnoff wrote: >>>> Hi, >>>> >>>> On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote: >>>> T> This is an automated email to inform you that the August 2025 stabilization week >>>> T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which was tagged as >>>> T> main-stabweek-2025-Aug. >>>> >>>> This stabilization cycle is expected to be more bumpy than usually. >>>> >>>> 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that the legacy >>>> provider is broken. >> I believe that KTLS support isn't yet enabled for it? >> (If so, NFS over TLS wo't work.) >> >>>> 2) The default Kerberos now is MIT. We have already checked that a Kerberized >>>> NFS client can migrate from Heimdal to MIT. We did not check Kerberized NFS >>>> server, but should be fine. >> I tested the server a couple of days ago and it was fine. >> >>> There is no yet an official way to migrate kdc >>>> from Heimdal to MIT. >> Yea. One possibility is to install Heimdal-7.8 from ports/packages and then >> use it to dump the KDC's database in MIT format. (Although Cy seemed to >> find it didn't work, doing this with the "--decrypt" option might retain the >> passwords.) >> >> I'll give this a try and report back if it worked for me. > Well, I'm not having any luck. > Every time I try and use Heimdal-7.8 to load the database from Heimdal-1.5.2, > "kadmin -l" throws this error and exits. > > kadmin: rc4 8: EVP_CipherInit_ex einit > > I need the Heimdal-7.8 kadmin to work to try and convert the database to > MIT format. > > So, does anyone know the trick to fixing this? rick This looks very similar to a problem I had when upgrading to the first FreeBSD release using OpenSSL 3.x. In that case the issues was that the cryptographically broken old RC4 ciphersuite is no longer supported at all. In Heimdal you could disable it in the configuration and so it wouldn't even probe for the removed cipher.