From owner-freebsd-current@FreeBSD.ORG Wed Jul 7 05:00:57 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDBFB106566B for ; Wed, 7 Jul 2010 05:00:57 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 43A548FC23 for ; Wed, 7 Jul 2010 05:00:57 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o6750hhb029687 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 7 Jul 2010 06:00:44 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C3409FB.60906@infracaninophile.co.uk> Date: Wed, 07 Jul 2010 06:00:43 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: Matthias Andree References: <20100706085435.GC13238@deviant.kiev.zoral.com.ua> <4C3317C6.3020009@FreeBSD.org> <20100706123325.GF13238@deviant.kiev.zoral.com.ua> <457406E5-0E8C-4DB0-97B3-C8CAA7DD3AD0@bigpond.net.au> <20100706134636.GG13238@deviant.kiev.zoral.com.ua> <9BB48431-AF0F-4DEA-8F9F-35830E147E68@bigpond.net.au> <4C337D44.7070107@infracaninophile.co.uk> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: Kostik Belousov , freebsd-current@freebsd.org, Andrew Reilly Subject: Re: Regression in GSSAPI/libxh509 linking? [PR bin/147175] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2010 05:00:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/07/2010 23:26:03, Matthias Andree wrote: > Am 06.07.2010, 21:00 Uhr, schrieb Matthew Seaman: > >> On 06/07/2010 15:14:28, Andrew Reilly wrote: >>> So: how should I "fix" this, properly, on my -current system? Is it >>> as simple as installing heimdal from ports? I can't remove openssl-1.0: >>> that has 191 ports listed in its REQUIRED_BY file. >> >> Rebuild the port of openssl-1.0.0 after modifying the OPTIONS to include >> MD2=on ? > > Not good given that MD2 is broken. Very broken, not just by a factor of > 2^5 or something. > > Where upon rests the earlier assertion (not by Matthew) that Kerberos V > needed MD2 checksums? > I can't seem to find that in the KRB5 protocol and checksum RFCs. If > it's not mandatory we may want to nuke MD2 from Kerberos to remedy a > weakness... Chapter and Verse welcome. Yeah. Even so, lots of software still expects it to be present and won't link without it. I hope no one is actually using it, or running with a cipher configuration that would permit it to be used. Cleaning all reliance on MD2 out of the ports and base would make a very good project for a bunch of people, and pushing those changes upstream would certainly help make the internet a better place. Probably should start with an experimental run on a tinderbox somewhere trying to build all ports that are OpenSSL consumers against security/openssl with MD2 turned off. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkw0CfsACgkQ8Mjk52CukIzTAQCeOmkWeudx4UCnxI5wFBNrcAuY x80AnivuyK8mPfOPHPUe7Y95uMMpUSVo =PHpX -----END PGP SIGNATURE-----