On 26.08.25 06:25, Rick Macklem wrote:
On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <[email protected]> wrote:
On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <[email protected]> wrote:
CAUTION: This email originated from outside of the University of Guelph. Do not
click links or open attachments unless you recognize the sender and know the
content is safe. If in doubt, forward suspicious emails to [email protected].
On 8/25/25 07:53, Gleb Smirnoff wrote:
Hi,
On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote:
T> This is an automated email to inform you that the August 2025 stabilization
week
T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which was tagged as
T> main-stabweek-2025-Aug.
This stabilization cycle is expected to be more bumpy than usually.
1) We got major upgrade - OpenSSL 3.5.1. One known issue is that the legacy
provider is broken.
I believe that KTLS support isn't yet enabled for it?
(If so, NFS over TLS wo't work.)
2) The default Kerberos now is MIT. We have already checked that a Kerberized
NFS client can migrate from Heimdal to MIT. We did not check Kerberized NFS
server, but should be fine.
I tested the server a couple of days ago and it was fine.
There is no yet an official way to migrate kdc
from Heimdal to MIT.
Yea. One possibility is to install Heimdal-7.8 from ports/packages and then
use it to dump the KDC's database in MIT format. (Although Cy seemed to
find it didn't work, doing this with the "--decrypt" option might retain the
passwords.)
I'll give this a try and report back if it worked for me.
Well, I'm not having any luck.
Every time I try and use Heimdal-7.8 to load the database from Heimdal-1.5.2,
"kadmin -l" throws this error and exits.
kadmin: rc4 8: EVP_CipherInit_ex einit
I need the Heimdal-7.8 kadmin to work to try and convert the database to
MIT format.
So, does anyone know the trick to fixing this? rick
This looks very similar to a problem I had when upgrading to the first
FreeBSD release using OpenSSL 3.x.
In that case the issues was that the cryptographically broken old RC4
ciphersuite is no longer supported at all.
In Heimdal you could disable it in the configuration and so it wouldn't
even probe for the removed cipher.
