From rt-comment at krbdev.mit.edu  Wed Mar  4 02:09:38 2026
From: rt-comment at krbdev.mit.edu (Greg Hudson via RT)
Date: Wed, 04 Mar 2026 02:09:38 -0500
Subject: [krbdev.mit.edu #9198] git commit
References: <RT-Ticket-9198@mit.edu>
Message-ID: <rt-4.4.3-2-3160078-1772608178-378.9198-4-0@mit.edu>


Wed Mar 04 02:09:38 2026: Request 9198 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9198 >



Use X509_check_host() to verify KKDCP server cert

In the k5tls module, rely on X509_check_host() and
X509_check_ip_asc(), which were added in OpenSSL 1.0.2, instead of
doing our own verification.

There is one notable difference in behavior: X509_check_host() admits
wildcards with a prefix or suffix (but not both) within the label,
like "kdc*.mydomain.com".  The old code only allows a wildcard to
match a complete label.

https://github.com/krb5/krb5/commit/f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Author: Greg Hudson <ghudson at mit.edu>
Commit: f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Branch: master
 src/plugins/tls/k5tls/openssl.c | 211 ++--------------------------------------
 1 file changed, 6 insertions(+), 205 deletions(-)