krb5 1.15 beta1 is out, and has support for openssl 1.1.
It is tempting to fix this bug by taking the new upstream version instead
of having to backport a somewhat invasive patchset.
However, trying to use krb5 1.15 for the fix would give a somewhat tight
timeline in order to get something fixed in stretch with a non-beta upstream
version.
I believe that the soname of the libkadm5{src,clnt} libraries has been bumped,
which might necessitate a transition to take a new krb5, which is unfortunate.
-Ben
