[krbdev.mit.edu #8539] Preauth tryagain should copy KDC cookie
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sat Jan 21 13:14:49 EST 2017
RFC 6113 requires that "The client MUST copy the exact cookie
encapsulated in a PA-FX-COOKIE data element into the next message of the
same conversation." When we try again after a mechanism-specific error
(which in practice means a PKINIT error), we do not copy the KDC cookie.
We should fix this for better performance, but we do not need to
backport the fix as PKINIT does not require the use of cookies.
More information about the krb5-bugs
mailing list