From nobody Tue Aug 26 13:08:13 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cB7JQ4H7Jz65Y13 for ; Tue, 26 Aug 2025 13:08:22 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4cB7JP5zdnz3DXl for ; Tue, 26 Aug 2025 13:08:21 +0000 (UTC) (envelope-from crest@rlwinm.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de Received: from [IPV6:2003:fc:d715:3000:7118:232f:9374:dfa] (p200300fcd71530007118232f93740dfa.dip0.t-ipconnect.de [IPv6:2003:fc:d715:3000:7118:232f:9374:dfa]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 7D14C127E for ; Tue, 26 Aug 2025 13:08:13 +0000 (UTC) Message-ID: <638395fe-688f-43ec-be67-a239cdaaa08b@rlwinm.de> Date: Tue, 26 Aug 2025 15:08:13 +0200 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: August 2025 stabilization week To: freebsd-current@freebsd.org References: <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <31931c62-b125-4b28-b2df-b8f3e741d2bd@rlwinm.de> Content-Language: en-US From: Jan Bramkamp In-Reply-To: <31931c62-b125-4b28-b2df-b8f3e741d2bd@rlwinm.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: / X-Spamd-Result: default: False [-0.54 / 15.00]; NEURAL_SPAM_LONG(0.99)[0.987]; NEURAL_HAM_MEDIUM(-0.81)[-0.812]; NEURAL_HAM_SHORT(-0.41)[-0.415]; R_SPF_ALLOW(-0.20)[+mx:c]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; DMARC_NA(0.00)[rlwinm.de]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1] X-Rspamd-Queue-Id: 4cB7JP5zdnz3DXl On 26.08.25 15:05, Jan Bramkamp wrote: > On 26.08.25 06:25, Rick Macklem wrote: >> On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem >> wrote: >>> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans wrote: >>>> CAUTION: This email originated from outside of the University of >>>> Guelph. Do not click links or open attachments unless you recognize >>>> the sender and know the content is safe. If in doubt, forward >>>> suspicious emails to IThelp@uoguelph.ca. >>>> >>>> On 8/25/25 07:53, Gleb Smirnoff wrote: >>>>>     Hi, >>>>> >>>>> On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote: >>>>> T> This is an automated email to inform you that the August 2025 >>>>> stabilization week >>>>> T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which >>>>> was tagged as >>>>> T> main-stabweek-2025-Aug. >>>>> >>>>> This stabilization cycle is expected to be more bumpy than usually. >>>>> >>>>> 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that >>>>> the legacy >>>>> provider is broken. >>> I believe that KTLS support isn't yet enabled for it? >>> (If so, NFS over TLS wo't work.) >>> >>>>> 2) The default Kerberos now is MIT. We have already checked that a >>>>> Kerberized >>>>> NFS client can migrate from Heimdal to MIT.  We did not check >>>>> Kerberized NFS >>>>> server, but should be fine. >>> I tested the server a couple of days ago and it was fine. >>> >>>>   There is no yet an official way to migrate kdc >>>>> from Heimdal to MIT. >>> Yea. One possibility is to install Heimdal-7.8 from ports/packages >>> and then >>> use it to dump the KDC's database in MIT format. (Although Cy seemed to >>> find it didn't work, doing this with the "--decrypt" option might >>> retain the >>> passwords.) >>> >>> I'll give this a try and report back if it worked for me. >> Well, I'm not having any luck. >> Every time I try and use Heimdal-7.8 to load the database from >> Heimdal-1.5.2, >> "kadmin -l" throws this error and exits. >> >> kadmin: rc4 8: EVP_CipherInit_ex einit >> >> I need the Heimdal-7.8 kadmin to work to try and convert the database to >> MIT format. >> >> So, does anyone know the trick to fixing this? rick > > This looks very similar to a problem I had when upgrading to the first > FreeBSD release using OpenSSL 3.x. > > In that case the issues was that the cryptographically broken old RC4 > ciphersuite is no longer supported at all. > > In Heimdal you could disable it in the configuration and so it > wouldn't even probe for the removed cipher. > > Sorry I forgot to include the relevant /etc/krb5.conf lines: [libdefaults]         default_keys        = aes256-cts-hmac-sha1-96:pw-salt         default_etypes      = aes256-cts-hmac-sha1-96         default_etypes_des  = [kadmin]         default_keys    = aes256-cts-hmac-sha1-96:pw-salt