[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Mar 29 10:03:31 EDT 2013
"Reinhard Kugler via RT" <rt-comment at krbdev.mit.edu> writes:
> thank you!
> I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
> Unfortunately the test was not successful
> The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
> But the log output of krbkdc changed:
>
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> bad group 2 q dhparameter
Interesting. Maybe try putting "aip = NULL;" right before the call to
M_ASN1_D2I_get_opt()?
More information about the krb5-bugs
mailing list