Re: heimdal -> MIT kdc migration

Reply: Cy Schubert : "Re: heimdal -> MIT kdc migration"
In reply to: Cy Schubert : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gleb Smirnoff <glebius_at_freebsd.org>
Date: Wed, 03 Sep 2025 04:45:38 UTC

On Tue, Sep 02, 2025 at 09:37:14PM -0700, Cy Schubert wrote:
C> I think the problem is with OpenSSL 3.5. With the legacy provider loaded in 
C> OpenSSL 3.5 I get,
C> 
C> test3# openssl list -providers
C> Providers:
C>   default
C>     name: OpenSSL Default Provider
C>     version: 3.5.1
C>     status: active
C> test3# 
C> 
C> Whereas in 3.0 I get,
C> 
C> bob# openssl list -providers
C> Providers:
C>   default
C>     name: OpenSSL Default Provider
C>     version: 3.0.16
C>     status: active
C>   legacy
C>     name: OpenSSL Legacy Provider
C>     version: 3.0.16
C>     status: active
C> bob# 
C> 
C> Some symbol must be missing.

The provider is no longer enabled by default in 3.5.  You need couple more
lines in /etc/ssl/openssl.cnf.  This page has some examples:

https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/

You also need CURRENT after b370fb00c89e9182f650943902a008f0c60883d6.

-- 
Gleb Smirnoff