Re: heimdal -> MIT kdc migration

In reply to: Gleb Smirnoff : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Wed, 03 Sep 2025 04:53:47 UTC

In message <aLfH8u9GwXX8IjyN@cell.glebi.us>, Gleb Smirnoff writes:
> On Tue, Sep 02, 2025 at 09:37:14PM -0700, Cy Schubert wrote:
> C> I think the problem is with OpenSSL 3.5. With the legacy provider loaded i
> n 
> C> OpenSSL 3.5 I get,
> C> 
> C> test3# openssl list -providers
> C> Providers:
> C>   default
> C>     name: OpenSSL Default Provider
> C>     version: 3.5.1
> C>     status: active
> C> test3# 
> C> 
> C> Whereas in 3.0 I get,
> C> 
> C> bob# openssl list -providers
> C> Providers:
> C>   default
> C>     name: OpenSSL Default Provider
> C>     version: 3.0.16
> C>     status: active
> C>   legacy
> C>     name: OpenSSL Legacy Provider
> C>     version: 3.0.16
> C>     status: active
> C> bob# 
> C> 
> C> Some symbol must be missing.
>
> The provider is no longer enabled by default in 3.5.  You need couple more
> lines in /etc/ssl/openssl.cnf.  This page has some examples:
>
> https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-provid
> ers/

Those lines are already in my openssl.cnf.

...
[provider_sect]
default = default_sect
lagacy = legacy_sect
...
[default_sect]
# activate = 1
activate = 1

[legacy_sect]
activate = 1


>
> You also need CURRENT after b370fb00c89e9182f650943902a008f0c60883d6.

I'm running CURRENT as of this morning.

Works on the machine itself but not in the jail I'm testing in. Ok, there's 
something amiss with my jail.

The server itself produces the correct output.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0