Re: [Freeipa-devel] Fwd: [openssl-users] removing Kerberos support from OpenSSL
Yes and no. The current Kerberos support is insecure and should not be used. The main problem is that the session key is reused for all TLS connections. This prevents perfect forward secrecy. That being said, we have been toying around with the idea of making a new standard for GSSAPI/TLS which uses a DH or a PAKE to ensure that both sides contribute entropy to a random encryption key. However, we have to get some of the other standards work off our plates before we can tackle such a large task. In short: existing Kerberos support should be removed from OpenSSL. Nathaniel On Tue, 2015-05-05 at 14:44 +0200, Petr Spacek wrote: Hello! Is this somehow interesting for us? Petr^2 Spacek Forwarded Message Subject: [openssl-users] Kerberos Date: Tue, 05 May 2015 09:21:28 +0100 From: Matt Caswell m...@openssl.org Reply-To: openssl-us...@openssl.org To: openssl-us...@openssl.org, openssl-...@openssl.org I am considering removing Kerberos support from OpenSSL 1.1.0. There are a number of problems with the functionality as it stands, and it seems to me to be a very rarely used feature. I'm interested in hearing any opinions on this (either for or against). Thanks in advance for your input, Matt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Fwd: [openssl-users] removing Kerberos support from OpenSSL
Nico Williams has made an interesting proposal on this topic: http://marc.info/?l=openssl-usersm=143136162429551w=2 It is probably worth discussing. On Mon, 2015-05-11 at 10:09 -0400, Nathaniel McCallum wrote: Yes and no. The current Kerberos support is insecure and should not be used. The main problem is that the session key is reused for all TLS connections. This prevents perfect forward secrecy. That being said, we have been toying around with the idea of making a new standard for GSSAPI/TLS which uses a DH or a PAKE to ensure that both sides contribute entropy to a random encryption key. However, we have to get some of the other standards work off our plates before we can tackle such a large task. In short: existing Kerberos support should be removed from OpenSSL. Nathaniel On Tue, 2015-05-05 at 14:44 +0200, Petr Spacek wrote: Hello! Is this somehow interesting for us? Petr^2 Spacek Forwarded Message Subject: [openssl-users] Kerberos Date: Tue, 05 May 2015 09:21:28 +0100 From: Matt Caswell m...@openssl.org Reply-To: openssl-us...@openssl.org To: openssl-us...@openssl.org, openssl-...@openssl.org I am considering removing Kerberos support from OpenSSL 1.1.0. There are a number of problems with the functionality as it stands, and it seems to me to be a very rarely used feature. I'm interested in hearing any opinions on this (either for or against). Thanks in advance for your input, Matt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Fwd: [openssl-users] removing Kerberos support from OpenSSL
Hello! Is this somehow interesting for us? Petr^2 Spacek Forwarded Message Subject: [openssl-users] Kerberos Date: Tue, 05 May 2015 09:21:28 +0100 From: Matt Caswell m...@openssl.org Reply-To: openssl-us...@openssl.org To: openssl-us...@openssl.org, openssl-...@openssl.org I am considering removing Kerberos support from OpenSSL 1.1.0. There are a number of problems with the functionality as it stands, and it seems to me to be a very rarely used feature. I'm interested in hearing any opinions on this (either for or against). Thanks in advance for your input, Matt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code