Regression in GSSAPI/libxh509 linking? [PR bin/147175]

Matthew Seaman m.seaman at
Wed Jul 7 05:00:57 UTC 2010

Hash: SHA1

On 06/07/2010 23:26:03, Matthias Andree wrote:
> Am 06.07.2010, 21:00 Uhr, schrieb Matthew Seaman:
>> On 06/07/2010 15:14:28, Andrew Reilly wrote:
>>> So: how should I "fix" this, properly, on my -current system? Is it
>>> as simple as installing heimdal from ports? I can't remove openssl-1.0:
>>> that has 191 ports listed in its REQUIRED_BY file.
>> Rebuild the port of openssl-1.0.0 after modifying the OPTIONS to include
>> MD2=on ?
> Not good given that MD2 is broken. Very broken, not just by a factor of
> 2^5 or something.
> Where upon rests the earlier assertion (not by Matthew) that Kerberos V
> needed MD2 checksums?
> I can't seem to find that in the KRB5 protocol and checksum RFCs. If
> it's not mandatory we may want to nuke MD2 from Kerberos to remedy a
> weakness... Chapter and Verse welcome.

Yeah.  Even so, lots of software still expects it to be present and
won't link without it.  I hope no one is actually using it, or running
with a cipher configuration that would permit it to be used.

Cleaning all reliance on MD2 out of the ports and base would make a very
good project for a bunch of people, and pushing those changes upstream
would certainly help make the internet a better place.  Probably should
start with an experimental run on a tinderbox somewhere trying to build
all ports that are OpenSSL consumers against security/openssl with MD2
turned off.



- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the freebsd-current mailing list