Re: August 2025 stabilization week
- Reply: Jan Bramkamp : "Re: August 2025 stabilization week"
- In reply to: Rick Macklem : "Re: August 2025 stabilization week"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 26 Aug 2025 13:05:23 UTC
On 26.08.25 06:25, Rick Macklem wrote: > On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <rick.macklem@gmail.com> wrote: >> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kevans@freebsd.org> wrote: >>> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca. >>> >>> On 8/25/25 07:53, Gleb Smirnoff wrote: >>>> Hi, >>>> >>>> On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote: >>>> T> This is an automated email to inform you that the August 2025 stabilization week >>>> T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which was tagged as >>>> T> main-stabweek-2025-Aug. >>>> >>>> This stabilization cycle is expected to be more bumpy than usually. >>>> >>>> 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that the legacy >>>> provider is broken. >> I believe that KTLS support isn't yet enabled for it? >> (If so, NFS over TLS wo't work.) >> >>>> 2) The default Kerberos now is MIT. We have already checked that a Kerberized >>>> NFS client can migrate from Heimdal to MIT. We did not check Kerberized NFS >>>> server, but should be fine. >> I tested the server a couple of days ago and it was fine. >> >>> There is no yet an official way to migrate kdc >>>> from Heimdal to MIT. >> Yea. One possibility is to install Heimdal-7.8 from ports/packages and then >> use it to dump the KDC's database in MIT format. (Although Cy seemed to >> find it didn't work, doing this with the "--decrypt" option might retain the >> passwords.) >> >> I'll give this a try and report back if it worked for me. > Well, I'm not having any luck. > Every time I try and use Heimdal-7.8 to load the database from Heimdal-1.5.2, > "kadmin -l" throws this error and exits. > > kadmin: rc4 8: EVP_CipherInit_ex einit > > I need the Heimdal-7.8 kadmin to work to try and convert the database to > MIT format. > > So, does anyone know the trick to fixing this? rick This looks very similar to a problem I had when upgrading to the first FreeBSD release using OpenSSL 3.x. In that case the issues was that the cryptographically broken old RC4 ciphersuite is no longer supported at all. In Heimdal you could disable it in the configuration and so it wouldn't even probe for the removed cipher.