[37204] in Kerberos
Re: [EXTERNAL] Re: Heimdahl Kerberos on MacOSX 10.9.5 using pkinit
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Aug 24 18:18:04 2015
Message-ID: <55DB9806.7070709@mit.edu>
Date: Mon, 24 Aug 2015 18:17:42 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Glenn Machin <gmachin@sandia.gov>
In-Reply-To: <55DB4D8C.3050102@sandia.gov>
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 08/24/2015 12:59 PM, Glenn Machin wrote (off list):
> Here is the raw packet. Let me know if there is anything else I can do.
I am unfortunately not able to duplicate the error in my setup using
either krb5 1.10.x or the master branch, sending this exact packet to
the KDC. If I temporarily modify the code to suppress all of the
expected errors from X509_verify(), SAN checking, EKU checking, minimum
DH parameter enforcement, and timestamp checking, the KDC issues a
ticket. None of the suppressed errors appear as ASN.1 errors like
you're seeing.
My system has OpenSSL 1.0.1f. What version do you have? Also, it's
conceivable that your error is manifesting in X509_verify() after trust
is established, or happens while encoding AD-INITIAL-VERIFIED-CAS. If
you send me your CA certificate (not the private key, of course, just
the cert), I can perform a better test.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
