Re: August 2025 stabilization week

Tue, 26 Aug 2025 06:08:51 -0700 


On 26.08.25 15:05, Jan Bramkamp wrote:

On 26.08.25 06:25, Rick Macklem wrote:

On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <[email protected]> 
wrote:

On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <[email protected]> wrote:

CAUTION: This email originated from outside of the University of 
Guelph. Do not click links or open attachments unless you recognize 
the sender and know the content is safe. If in doubt, forward 
suspicious emails to [email protected].


On 8/25/25 07:53, Gleb Smirnoff wrote:

    Hi,

On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote:

T> This is an automated email to inform you that the August 2025 
stabilization week
T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which 
was tagged as

T> main-stabweek-2025-Aug.

This stabilization cycle is expected to be more bumpy than usually.


1) We got major upgrade - OpenSSL 3.5.1. One known issue is that 
the legacy

provider is broken.

I believe that KTLS support isn't yet enabled for it?
(If so, NFS over TLS wo't work.)


2) The default Kerberos now is MIT. We have already checked that a 
Kerberized
NFS client can migrate from Heimdal to MIT.  We did not check 
Kerberized NFS

server, but should be fine.

I tested the server a couple of days ago and it was fine.


  There is no yet an official way to migrate kdc

from Heimdal to MIT.

Yea. One possibility is to install Heimdal-7.8 from ports/packages 
and then

use it to dump the KDC's database in MIT format. (Although Cy seemed to

find it didn't work, doing this with the "--decrypt" option might 
retain the

passwords.)

I'll give this a try and report back if it worked for me.

Well, I'm not having any luck.

Every time I try and use Heimdal-7.8 to load the database from 
Heimdal-1.5.2,

"kadmin -l" throws this error and exits.

kadmin: rc4 8: EVP_CipherInit_ex einit

I need the Heimdal-7.8 kadmin to work to try and convert the database to
MIT format.

So, does anyone know the trick to fixing this? rick



This looks very similar to a problem I had when upgrading to the first 
FreeBSD release using OpenSSL 3.x.



In that case the issues was that the cryptographically broken old RC4 
ciphersuite is no longer supported at all.



In Heimdal you could disable it in the configuration and so it 
wouldn't even probe for the removed cipher.




Sorry I forgot to include the relevant /etc/krb5.conf lines:

[libdefaults]

        default_keys        = aes256-cts-hmac-sha1-96:pw-salt
        default_etypes      = aes256-cts-hmac-sha1-96

        default_etypes_des  =

[kadmin]
        default_keys    = aes256-cts-hmac-sha1-96:pw-salt

























					Reply via email to