Info regarding MIT 1.8 Crypto modularity feature.

Jeffrey Altman jaltman at
Mon Aug 16 10:25:46 EDT 2010

On 8/16/2010 9:48 AM, Zhanna Tsitkova wrote:
> The selection of the crypto backend happens during the configure/build  
> time.
> For example, to use openssl cryptography one needs to configure MIT  
> Kerberos with option --with-crypto-impl=openssl. If this option is  
> omitted,  the default crypto. i.e. builtin, will be used.
> Only one crypto implementation per  Kerberos crypto library is  
> supported. This means that client/server does not have an option to  
> specify the type of the desired crypto implementation during run-time.  
> That said, it would be interesting to learn about the use case when  
> one needs to have an option to switch between crypto implementations  
> at run-time.
> Thanks,
> Zhanna

The most common use cases would be:

 * FIPS 140.2 vs non-FIPS modes.  In general non-FIPS will be faster
   but for some situations a FIPS mode is required.

 * Shipping a binary that can support hardware and non-hardware
   implemented encryption.

 * End user performance testing.

Jeffrey Altman

More information about the krbdev mailing list