Subject: Re: openssl 0.9.7 in NetBSD?
To: Love <lha@stacken.kth.se>
From: None <itojun@iijlab.net>
List: tech-crypto
Date: 07/22/2003 17:43:00
>> 	after some more discussions:
>> 	- we should disable kerberos-and-ssl stuff in openssl, as it is not
>> 	  doing the right thing (-> some functions will go away)
>> 	- des_xx -> DES_xx is okay from heimdal POV
>> 	  (-> des_xx goes away, DES_xx will appear)
>>
>> 	so when we import 0.9.7, there'll be a shlib major # bump for libcrypto
>> 	and libdes, and there'll be some changes to heimdal code for des stuff.
>
>I think this require us to drop kerberos 4 support, both libs and tools
>since its dependant on the old des_ api.
>
>Current heimdal kinit support doing 524 and store the v4 credentials, this
>solves the problem for the few people that still uses zephyr (and other v4
>applications). So, there still be a sigle sign on.
>
>AFS users can already today use libkafs that is compiled w/o v4 support, so
>that shouldn't be a problem.
>
>Maybe I'll add support so the kdc can service v4 requests (by inlining the
>nesecery functions), but I'm not sure about this.
>
>I'm fine with having kerberos 4 die now, and really, it should.

	so upgrade plan would be:
	- disable kerberos4 by default
	- import openssl 0.9.7b (or latest), with kerberos-and-ssl stuff
	  disabled.  shlib major bump.  kerberos portion would not build
	  for a while, i guess?
	- massage kerberos5 portion to work with openssl 0.9.7

	i dunno how to achieve first bullet (MKKERBEROS would disable/enable
	both).

itojun