[krbdev.mit.edu #6605] SVN Commit
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Wed Dec 23 16:10:31 EST 2009
Pkinit's verification of the KDC SAN requires that the certificate
have a SAN for the server principal. That's not correct according to
RFC 4556. The KDC should have a SAN for the TGS principal; that's
independent of whether the TGS principal is actually the server.
Fix to build the TGS principal explicitly.
http://src.mit.edu/fisheye/changelog/krb5/?cs=23504
Commit By: hartmans
Revision: 23504
Changed Files:
U branches/anonymous/src/plugins/preauth/pkinit/pkinit_clnt.c
More information about the krb5-bugs
mailing list