Re: openssl 0.9.7 in NetBSD?

[itojun%iijlab.net@localhost]

>>      after some more discussions:
>>      - we should disable kerberos-and-ssl stuff in openssl, as it is not
>>        doing the right thing (-> some functions will go away)
>>      - des_xx -> DES_xx is okay from heimdal POV
>>        (-> des_xx goes away, DES_xx will appear)
>>
>>      so when we import 0.9.7, there'll be a shlib major # bump for libcrypto
>>      and libdes, and there'll be some changes to heimdal code for des stuff.
>
>I think this require us to drop kerberos 4 support, both libs and tools
>since its dependant on the old des_ api.
>
>Current heimdal kinit support doing 524 and store the v4 credentials, this
>solves the problem for the few people that still uses zephyr (and other v4
>applications). So, there still be a sigle sign on.
>
>AFS users can already today use libkafs that is compiled w/o v4 support, so
>that shouldn't be a problem.
>
>Maybe I'll add support so the kdc can service v4 requests (by inlining the
>nesecery functions), but I'm not sure about this.
>
>I'm fine with having kerberos 4 die now, and really, it should.

        so upgrade plan would be:
        - disable kerberos4 by default
        - import openssl 0.9.7b (or latest), with kerberos-and-ssl stuff
          disabled.  shlib major bump.  kerberos portion would not build
          for a while, i guess?
        - massage kerberos5 portion to work with openssl 0.9.7

        i dunno how to achieve first bullet (MKKERBEROS would disable/enable
        both).

itojun