mit-krb5-1.12.1 libressl compatability: autodetect cms junk4me46806 at
Mon Aug 11 00:33:22 EDT 2014

On 08/10/2014 08:34:42 PM, Greg Hudson wrote:
> On 08/10/2014 05:38 PM, junk4me46806 at wrote:
> > mit-krb5-1.12.1 has a minor and easy to fix incompatibility. 
> libressl 
> > portable 2.0.5 has cms disabled and reports an
> > of 0x20000000L.
> Do you know why libressl has CMS disabled?  The fallback code is 
> known
> not to interoperate with some peer implementations, although they
> aren't
> commonly used.

I do not know for sure.  It appears that they only have so much 
manpower and haven't had a chance to clean up the cms code yet.

Here is some discussion on the openbsd tech mailing list:

One advantage of the proposed autoconf fix is that if libressl turns on 
cms in the future, it will be automatically picked up.

Would it make sense to have autoconf generate a warning if openssl cms 
isn't found:
AC_MSG_WARN[System openssl does not support cms, using fallback code 
that is known to have issues with some peers]

Paul Maurer
junk4me46806 at

More information about the krbdev mailing list