[EXTERNAL] Re: Heimdahl Kerberos on MacOSX 10.9.5 using pkinit produces verify error

Glenn Machin gmachin at sandia.gov
Tue Aug 25 10:46:38 EDT 2015


On the RHEL6 system which has this problem its using OpenSSL 1.0.1e.   
Since you indicated OpenSSL 1.0.1f might have the bug fixed, I am going 
to build the openssl source for OpenSSL 1.0.1f and link it into our MIT 
Kerberos build and see if that fixes the problem.    I will let you know 
what I find.


Glenn



On 8/25/15 8:41 AM, Greg Hudson wrote:
> On 08/25/2015 12:50 AM, Glenn Machin wrote:
>> Looks like it is an openssl issue, apparently fixed in version 1.0.1f
>> .   Seems I asked a similar question then and found this on the
>> krb5-bugs list -
>> http://mailman.mit.edu/pipermail/krb5-bugs/2011-January/008510.html
> Thanks for finding this; I remembered that too, but couldn't find the
> details.
>
> After I sent my last response, I was able to produce the "wrong tag"
> error with your packet by disabling the use of CMS functions and forcing
> the use of PKCS7 functions instead.  But it doesn't quite match the
> "nested asn1 error" you are seeing, so I'm not sure it's the same thing.



More information about the Kerberos mailing list