mit-krb5-1.12.1 libressl compatability: autodetect cms
junk4me46806@yahoo.com
junk4me46806 at yahoo.com
Mon Aug 11 00:33:22 EDT 2014
On 08/10/2014 08:34:42 PM, Greg Hudson wrote:
> On 08/10/2014 05:38 PM, junk4me46806 at yahoo.com wrote:
> > mit-krb5-1.12.1 has a minor and easy to fix incompatibility.
> libressl
> > portable 2.0.5 has cms disabled and reports an
> OPENSSL_VERSION_NUMBER
> > of 0x20000000L.
>
> Do you know why libressl has CMS disabled? The fallback code is
> known
> not to interoperate with some peer implementations, although they
> aren't
> commonly used.
>
I do not know for sure. It appears that they only have so much
manpower and haven't had a chance to clean up the cms code yet.
Here is some discussion on the openbsd tech mailing list:
http://marc.info/?l=openbsd-tech&m=140711002103809&w=2
One advantage of the proposed autoconf fix is that if libressl turns on
cms in the future, it will be automatically picked up.
Would it make sense to have autoconf generate a warning if openssl cms
isn't found:
AC_MSG_WARN[System openssl does not support cms, using fallback code
that is known to have issues with some peers]
--
Paul Maurer
junk4me46806 at yahoo.com
More information about the krbdev
mailing list