[Freeipa-devel] Fwd: [openssl-users] removing Kerberos support from OpenSSL
Nathaniel McCallum
npmccallum at redhat.com
Mon May 11 14:09:58 UTC 2015
Yes and no.
The current Kerberos support is insecure and should not be used. The main
problem is that the session key is reused for all TLS connections. This
prevents perfect forward secrecy.
That being said, we have been toying around with the idea of making a new
standard for GSSAPI/TLS which uses a DH or a PAKE to ensure that both
sides contribute entropy to a random encryption key.
However, we have to get some of the other standards work off our plates
before we can tackle such a large task.
In short: existing Kerberos support should be removed from OpenSSL.
Nathaniel
On Tue, 2015-05-05 at 14:44 +0200, Petr Spacek wrote:
> Hello!
>
> Is this somehow interesting for us?
>
> Petr^2 Spacek
>
>
> -------- Forwarded Message --------
> Subject: [openssl-users] Kerberos
> Date: Tue, 05 May 2015 09:21:28 +0100
> From: Matt Caswell <matt at openssl.org>
> Reply-To: openssl-users at openssl.org
> To: openssl-users at openssl.org, openssl-dev at openssl.org
>
> I am considering removing Kerberos support from OpenSSL 1.1.0. There
> are
> a number of problems with the functionality as it stands, and it
> seems
> to me to be a very rarely used feature. I'm interested in hearing any
> opinions on this (either for or against).
>
> Thanks in advance for your input,
>
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
More information about the Freeipa-devel
mailing list