From nobody Wed Sep 03 04:45:38 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cGqmk0tQnz66P9G
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Wed, 03 Sep 2025 04:45:42 +0000 (UTC)
	(envelope-from glebius@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cGqmj58tBz3wwJ;
	Wed, 03 Sep 2025 04:45:41 +0000 (UTC)
	(envelope-from glebius@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1756874741;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=ynU31xIVaZhv8I7jW4rzduxPGASIYeZGMYBftGrf+pU=;
	b=UfdpTtVfbS0kZUgzMQomwbtTQxW67ThYriAze8COGfGdHpqrp6+4tX9UHvHrdaC//aPP//
	PhL9rjsGE2MJC8etyLoMf9SQ/GzEscmKoTJ/fFh8pYxHfs+4zsFmLkQX4BHY8HB2Ge61sS
	4RutpmNQ698ZdzT2/patPM+9svUhVNwUB85HCF5yWXnaJWboy7nmkS470P0NimfnDTvGVQ
	ckINQ9n7/dS/rflSlKIfx9qn9gwk3axkQaJSZw3jdcUmVj1VrXIsERYNxMW7bZNM/UXoPX
	8/QI+EBFFN5MDMgpyhYVmIIzSJ3W0+BEjLrSQRIzuGO1rFI2b/Jkpn5pefYj+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1756874741;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=ynU31xIVaZhv8I7jW4rzduxPGASIYeZGMYBftGrf+pU=;
	b=J7pL+4/RQvxmyqR4FsnRoMCNWOlvpEOR0yROrKEhr08E1kvweZVZ1YKRLdmWi/vDafOiZo
	IxrWeBpGFOh03I3T2lWa4tZ+jySjpfb0z5mOwhPvgsoGlvcaq6zkTZ6KX/Nw5zYiqTbaUF
	KqEHol4QqO1a05o5cFaUnVEOI0kZs+IbpxjNoZDuyaGm0rLOnKm2sTu+h72qZAW0zw3bEk
	3MZJAs0UMxzeofdXURiY8DoukxV+Gsavydw6N83HfoKOXGo/C7jiSXyilfGE+plKlmVKsh
	yL02ZjaeMC5RgSamjs36lNv3fPe89m3P3spAeDCskzYIWQqXgGHgiT/rl6231g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1756874741; a=rsa-sha256; cv=none;
	b=YK1XrP/pa/e/RX4nG5VSVw6xJolTAG+hNQYCqCkcTihUvBCFo5GhUmYPnSJFlJu3HsWJOu
	NmmsPT/Kp96WeYTKV7JWQQaschxpD2k/M8yQqQ8bRFBIxfSzEnLGOzYAMd3hX91lreSQeu
	wPxzCLK7ND8yaIK+gz65GGoHegHo+Ub335V+SIVnB8KdfIZE/3cdPhfZrIDpIkGhpmLmIG
	xpieF66SLod36GqHnwMzwJWlJyw+UszGIcpoODOBhpDZcbtXUVJX6nwlF6njUeUkg9+hEq
	0XOQGX2ux2NAtQNxEJj3lRpv9nKWlJJKBB6/jA5PTQSF8evKZwVCkIwDQcK0Dw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from cell.glebi.us (glebi.us [162.251.186.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: glebius)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4cGqmj1ZLQzyd6;
	Wed, 03 Sep 2025 04:45:41 +0000 (UTC)
	(envelope-from glebius@freebsd.org)
Date: Tue, 2 Sep 2025 21:45:38 -0700
From: Gleb Smirnoff <glebius@freebsd.org>
To: Cy Schubert <Cy.Schubert@cschubert.com>
Cc: Rick Macklem <rick.macklem@gmail.com>, freebsd-current@freebsd.org
Subject: Re: heimdal -> MIT kdc migration
Message-ID: <aLfH8u9GwXX8IjyN@cell.glebi.us>
References: <CAM5tNy4C1sFkqfDnO+A1Chkm86qxO--Rt+thbnFrBkWu_P7iDg@mail.gmail.com>
 <CAM5tNy4OAXmc12F_=6o+se16ShE8jLX4np1X2T5rgeFxJTFFXA@mail.gmail.com>
 <CAM5tNy4fgqxYzT_aa9Ej0A1tsnuyHqQYuYRmeHF3ReSb+WsJ2A@mail.gmail.com>
 <CAM5tNy6ASuHS8O2ZKApcSQ61+BpnCQBKQitdYwtqEc9aBVDR7Q@mail.gmail.com>
 <CAM5tNy4C-nf_uLC9XO7Q3=dbFmC97NT+SAgVnjq6a63teXaMQw@mail.gmail.com>
 <CAM5tNy6ozGNiGqFREdepDxGVa3fsxRh+YhTpcRxVZkcqY2FJTQ@mail.gmail.com>
 <CAM5tNy4Aw7n-6dgNxUzi71=L9ewpxVL0z=jh3ntuZcXJo9Z2MQ@mail.gmail.com>
 <CAM5tNy5VKvx9rk-3DsWmdrH8C6f4uxQ8w8oyi71Zuwf-q6b_Yw@mail.gmail.com>
 <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmail.com>
 <20250903043714.370F5311@slippy.cwsent.com>
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20250903043714.370F5311@slippy.cwsent.com>

On Tue, Sep 02, 2025 at 09:37:14PM -0700, Cy Schubert wrote:
C> I think the problem is with OpenSSL 3.5. With the legacy provider loaded in 
C> OpenSSL 3.5 I get,
C> 
C> test3# openssl list -providers
C> Providers:
C>   default
C>     name: OpenSSL Default Provider
C>     version: 3.5.1
C>     status: active
C> test3# 
C> 
C> Whereas in 3.0 I get,
C> 
C> bob# openssl list -providers
C> Providers:
C>   default
C>     name: OpenSSL Default Provider
C>     version: 3.0.16
C>     status: active
C>   legacy
C>     name: OpenSSL Legacy Provider
C>     version: 3.0.16
C>     status: active
C> bob# 
C> 
C> Some symbol must be missing.

The provider is no longer enabled by default in 3.5.  You need couple more
lines in /etc/ssl/openssl.cnf.  This page has some examples:

https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/

You also need CURRENT after b370fb00c89e9182f650943902a008f0c60883d6.

-- 
Gleb Smirnoff