Vern:
> Is this using my kssl stuff? If so, a few questions/comments...
It was my intention to use your KSSL as a base.
> I'm currently working on kssl-0.4 for OpenSSL 0.9.6, mod_ssl/apache/etc.
> The tweaks going from OpenSSL 0.9.5a to 0.9.6 were minor.
Great. If you can submit them it will make my life much easier.
> I'm also looking at RFC 2712 compliance issues:
>
> 1. Should the 40-bit export ciphersuites (EXP-KRB5-DES-CBC-SHA) be
> removed or at least #ifdef'd out? "IESG Note: ... Implementation
> and use of the 40-bit ciphersuites ... is strongly discouraged".
#ifdef'd would be my suggestion. People should have to decide to
compile them in.
> 2. The KRB5_WITH_ { RC4_128, IDEA_CBC } _ {SHA,MD5} ciphersuites
> should be implemented. I'm currently looking into this.
let me know if I can help.
> 3. RFC 2712 Figure 2 shows struct KerberosWrapper containing:
> opaque Ticket; /* holds encrypted session key */
> opaque authenticator; /* OPTIONAL */
> opaque EncryptedPreMasterSecret; /* encrypted with session key */
>
> The authenticator may be used to pass authorization information.
> I haven't done anything to support the authenticator "field".
Simply an API to set the value and extract the value is all that is
required.
> 4. As Jeffrey Altman noted earlier the RFC specifies the Kerberos
> service name as "host" instead of "kssl". I suppose "host" should
> be the default, although I'd really like to retain an option to
> use a separate service name.
Make it a #define that can be overridden at compile time.
> Should I be trying to push the RFC 2712 stuff in asap (before next week)?
My time line is to have this code placed into the CVS by 11/20. That
is the week I am meeting with the MIT Kerberos Core team to discuss
the migration of Kerberos 5 v 1.x to use the OpenSSL crypto library
instead of the one they are currently using. I would like to be able
to sell them on this as an additional reason for making the change.
The current justification are the telnet internet-drafts:
draft-ietf-tn3270e-telnet-tls-05.txt
draft-altman-rfc2941bis-00.txt
draft-altman-rfc2942bis-00.txt
> Do you want my current pre-kssl-0.4 patches?
before I do any additional work: yes.
> FYI, the OpenSSL 0.9.5a patches are at
> http://download.sourceforge.net/kssl/kssl-0.3.tgz
thanks.
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
