>On 11/15/23 23:22, Goetz Golla wrote: >> * Does MIT Kerberos support PKINIT with Elliptic Curves as described >> in RFC 5349 ? > >A P-384 EC client certificate works in my tests, with either krb5-1.17 >or the current code, as long as the KDC is also running MIT krb5.
We got burnt a while ago with an older PKINIT client-side plugin that worked fine when the KDC was linked against OpenSSL 1.0.2 but failed with OpenSSL 1.1 and above (this was fixed in newer MIT code and only occured when you were using a smartcard). I am wondering if perhaps the incorrect metadata makes something fail on other versions of OpenSSL? I know this seems to be a completely client-side problem. >Of course, my experience doesn't match yours. From your trace, I >believe that the failure occurs in the client code, not on the KDC, so >inspecting the KDC logs would not help. But the trace log does not >contain any detailed information about the failure. I have mentioned this before, but ... is there any interest in adding additional trace points for every place where the old "pkiDebug" calls are made? Hidden errors when doing PKINIT are the bane of my existence and I feel that I'm not the only one. I understand there are concerns about making the trace log too verbose but I think every error could generate a trace message and it wouldn't add too much to the trace output when everything was working. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos