Subject: Re: openssl 0.9.7 in NetBSD?
To: Love <lha@stacken.kth.se>
From: None <itojun@iijlab.net>
List: tech-crypto
Date: 07/22/2003 17:43:00
>> after some more discussions:
>> - we should disable kerberos-and-ssl stuff in openssl, as it is not
>> doing the right thing (-> some functions will go away)
>> - des_xx -> DES_xx is okay from heimdal POV
>> (-> des_xx goes away, DES_xx will appear)
>>
>> so when we import 0.9.7, there'll be a shlib major # bump for libcrypto
>> and libdes, and there'll be some changes to heimdal code for des stuff.
>
>I think this require us to drop kerberos 4 support, both libs and tools
>since its dependant on the old des_ api.
>
>Current heimdal kinit support doing 524 and store the v4 credentials, this
>solves the problem for the few people that still uses zephyr (and other v4
>applications). So, there still be a sigle sign on.
>
>AFS users can already today use libkafs that is compiled w/o v4 support, so
>that shouldn't be a problem.
>
>Maybe I'll add support so the kdc can service v4 requests (by inlining the
>nesecery functions), but I'm not sure about this.
>
>I'm fine with having kerberos 4 die now, and really, it should.
so upgrade plan would be:
- disable kerberos4 by default
- import openssl 0.9.7b (or latest), with kerberos-and-ssl stuff
disabled. shlib major bump. kerberos portion would not build
for a while, i guess?
- massage kerberos5 portion to work with openssl 0.9.7
i dunno how to achieve first bullet (MKKERBEROS would disable/enable
both).
itojun