On Thu, Nov 02, 2000 at 03:31:23PM +0100, Richard Levitte - VMS Whacker wrote:
> From: Jeffrey Altman <[EMAIL PROTECTED]>
>
> jaltman> have you started to work on integrating the Kerberos 5 cipher suites
> jaltman> into the current builds?
>
> Nope.
>
> jaltman> If not, I will try to work on it next week.
>
> Please do.
Is this using my kssl stuff? If so, a few questions/comments...
I'm currently working on kssl-0.4 for OpenSSL 0.9.6, mod_ssl/apache/etc.
The tweaks going from OpenSSL 0.9.5a to 0.9.6 were minor.
I'm also looking at RFC 2712 compliance issues:
1. Should the 40-bit export ciphersuites (EXP-KRB5-DES-CBC-SHA) be
removed or at least #ifdef'd out? "IESG Note: ... Implementation
and use of the 40-bit ciphersuites ... is strongly discouraged".
2. The KRB5_WITH_ { RC4_128, IDEA_CBC } _ {SHA,MD5} ciphersuites
should be implemented. I'm currently looking into this.
3. RFC 2712 Figure 2 shows struct KerberosWrapper containing:
opaque Ticket; /* holds encrypted session key */
opaque authenticator; /* OPTIONAL */
opaque EncryptedPreMasterSecret; /* encrypted with session key */
The authenticator may be used to pass authorization information.
I haven't done anything to support the authenticator "field".
4. As Jeffrey Altman noted earlier the RFC specifies the Kerberos
service name as "host" instead of "kssl". I suppose "host" should
be the default, although I'd really like to retain an option to
use a separate service name.
Should I be trying to push the RFC 2712 stuff in asap (before next week)?
Do you want my current pre-kssl-0.4 patches?
FYI, the OpenSSL 0.9.5a patches are at
http://download.sourceforge.net/kssl/kssl-0.3.tgz
--
"My company prefers to have that kind of decision made by
uninformed executives. We call it "Empowerment". --Dilbert
[EMAIL PROTECTED]
Vern Staats, ASC/HPTS, WPAFB OH 45433, 937-255-1616x449
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
