Nico Williams has made an interesting proposal on this topic: http://marc.info/?l=openssl-users&m=143136162429551&w=2
It is probably worth discussing. On Mon, 2015-05-11 at 10:09 -0400, Nathaniel McCallum wrote: > Yes and no. > > The current Kerberos support is insecure and should not be used. The > main > problem is that the session key is reused for all TLS connections. > This > prevents perfect forward secrecy. > > That being said, we have been toying around with the idea of making > a new > standard for GSSAPI/TLS which uses a DH or a PAKE to ensure that both > sides contribute entropy to a random encryption key. > > However, we have to get some of the other standards work off our > plates > before we can tackle such a large task. > > In short: existing Kerberos support should be removed from OpenSSL. > > Nathaniel > > On Tue, 2015-05-05 at 14:44 +0200, Petr Spacek wrote: > > Hello! > > > > Is this somehow interesting for us? > > > > Petr^2 Spacek > > > > > > -------- Forwarded Message -------- > > Subject: [openssl-users] Kerberos > > Date: Tue, 05 May 2015 09:21:28 +0100 > > From: Matt Caswell <m...@openssl.org> > > Reply-To: openssl-us...@openssl.org > > To: openssl-us...@openssl.org, openssl-...@openssl.org > > > > I am considering removing Kerberos support from OpenSSL 1.1.0. > > There > > are > > a number of problems with the functionality as it stands, and it > > seems > > to me to be a very rarely used feature. I'm interested in hearing > > any > > opinions on this (either for or against). > > > > Thanks in advance for your input, > > > > Matt > > _______________________________________________ > > openssl-users mailing list > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
