Date: Tue, 26 Aug 2025 15:08:13 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-current@freebsd.org Subject: Re: August 2025 stabilization week Message-ID: <638395fe-688f-43ec-be67-a239cdaaa08b@rlwinm.de> In-Reply-To: <31931c62-b125-4b28-b2df-b8f3e741d2bd@rlwinm.de> References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us> <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt%2B9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com> <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com> <31931c62-b125-4b28-b2df-b8f3e741d2bd@rlwinm.de>
index | next in thread | previous in thread | raw e-mail
On 26.08.25 15:05, Jan Bramkamp wrote: > On 26.08.25 06:25, Rick Macklem wrote: >> On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <rick.macklem@gmail.com> >> wrote: >>> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kevans@freebsd.org> wrote: >>>> CAUTION: This email originated from outside of the University of >>>> Guelph. Do not click links or open attachments unless you recognize >>>> the sender and know the content is safe. If in doubt, forward >>>> suspicious emails to IThelp@uoguelph.ca. >>>> >>>> On 8/25/25 07:53, Gleb Smirnoff wrote: >>>>> Hi, >>>>> >>>>> On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote: >>>>> T> This is an automated email to inform you that the August 2025 >>>>> stabilization week >>>>> T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which >>>>> was tagged as >>>>> T> main-stabweek-2025-Aug. >>>>> >>>>> This stabilization cycle is expected to be more bumpy than usually. >>>>> >>>>> 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that >>>>> the legacy >>>>> provider is broken. >>> I believe that KTLS support isn't yet enabled for it? >>> (If so, NFS over TLS wo't work.) >>> >>>>> 2) The default Kerberos now is MIT. We have already checked that a >>>>> Kerberized >>>>> NFS client can migrate from Heimdal to MIT. We did not check >>>>> Kerberized NFS >>>>> server, but should be fine. >>> I tested the server a couple of days ago and it was fine. >>> >>>> There is no yet an official way to migrate kdc >>>>> from Heimdal to MIT. >>> Yea. One possibility is to install Heimdal-7.8 from ports/packages >>> and then >>> use it to dump the KDC's database in MIT format. (Although Cy seemed to >>> find it didn't work, doing this with the "--decrypt" option might >>> retain the >>> passwords.) >>> >>> I'll give this a try and report back if it worked for me. >> Well, I'm not having any luck. >> Every time I try and use Heimdal-7.8 to load the database from >> Heimdal-1.5.2, >> "kadmin -l" throws this error and exits. >> >> kadmin: rc4 8: EVP_CipherInit_ex einit >> >> I need the Heimdal-7.8 kadmin to work to try and convert the database to >> MIT format. >> >> So, does anyone know the trick to fixing this? rick > > This looks very similar to a problem I had when upgrading to the first > FreeBSD release using OpenSSL 3.x. > > In that case the issues was that the cryptographically broken old RC4 > ciphersuite is no longer supported at all. > > In Heimdal you could disable it in the configuration and so it > wouldn't even probe for the removed cipher. > > Sorry I forgot to include the relevant /etc/krb5.conf lines: [libdefaults] default_keys = aes256-cts-hmac-sha1-96:pw-salt default_etypes = aes256-cts-hmac-sha1-96 default_etypes_des = [kadmin] default_keys = aes256-cts-hmac-sha1-96:pw-salthelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?638395fe-688f-43ec-be67-a239cdaaa08b>