On Tue, Nov 28, 2000 at 11:09:20AM -0500, Jeffrey Altman wrote:
>
> Vern, Richard and I are already working on adding support to OpenSSL
> for the Kerbeors 5 ciphers. All of the Kerberos library calls are
> being placed into two new source files in the ssl directory. The
> other affected files will only make calls to the new support
> functions. OpenSSL can be built with or without Kerbeors 5 support.
>
> The changes to ssl_lib.c will look something like
>
> #ifdef KRB5
> if ((cipher & KRB5_MASK) && !kssl_krb5_client_ready())
> skip cipher when building list;
> #endif
>
> and
>
> #ifdef KRB5
> if ((cipher & KRB5_MASK) && !kssl_krb5_server_ready())
> skip cipher when processing client's cipher list;
> #endif
>
> The change is really small. Is it a hack. Yes. But its a start. It
> can always be re-implemented in a better way later on.
This all looks good to me. I don't have any strong feelings about
exactly where in the code to do the test. As long as the test is
performed for each ClientHello message it should be able to handle
renegotiation OK.
FYI, on the server side, I think the test should be not whether
/etc/krb5.keytab exists, but whether it is readable. In case e.g.
a uid=nobody apache tries to read a root-owned mode 0600 keytab.
--
"My company prefers to have that kind of decision made by
uninformed executives. We call it "Empowerment". --Dilbert
[EMAIL PROTECTED]
Vern Staats, ASC/HPTS, WPAFB OH 45433, 937-255-1616x449
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
