[EXTERNAL] Re: Heimdahl Kerberos on MacOSX 10.9.5 using pkinit produces verify error
Greg Hudson
ghudson at mit.edu
Mon Aug 24 18:17:42 EDT 2015
On 08/24/2015 12:59 PM, Glenn Machin wrote (off list):
> Here is the raw packet. Let me know if there is anything else I can do.
I am unfortunately not able to duplicate the error in my setup using
either krb5 1.10.x or the master branch, sending this exact packet to
the KDC. If I temporarily modify the code to suppress all of the
expected errors from X509_verify(), SAN checking, EKU checking, minimum
DH parameter enforcement, and timestamp checking, the KDC issues a
ticket. None of the suppressed errors appear as ASN.1 errors like
you're seeing.
My system has OpenSSL 1.0.1f. What version do you have? Also, it's
conceivable that your error is manifesting in X509_verify() after trust
is established, or happens while encoding AD-INITIAL-VERIFIED-CAS. If
you send me your CA certificate (not the private key, of course, just
the cert), I can perform a better test.
More information about the Kerberos
mailing list