[19648] in Kerberos_V5_Development
Re: pkinit plugin logic in pkinit_srv.c
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 29 16:18:17 2017
To: Craig Huckabee <craig.huckabee@spawar.navy.mil>
From: Greg Hudson <ghudson@MIT.EDU>
Message-ID: <bff3d958-bb11-fe34-3ec9-b45891106759@mit.edu>
Date: Tue, 29 Aug 2017 16:18:01 -0400
MIME-Version: 1.0
In-Reply-To: <b3dd1954-7cfa-cf44-b9c3-a96dc3625e52@mit.edu>
Cc: krbdev@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@MIT.EDU
On 08/24/2017 03:26 PM, Greg Hudson wrote:
> It may be that we presently have the wrong behavior if the cert contains
> a UPN SAN and pkinit_allow_upn = false (the default). In that case the
> upn module should probably return KRB5_PLUGIN_NO_HANDLE but might now be
> returning a mismatch.
Just to close the loop on this: it turns out the san module was
explicitly rejecting certs with any SANs at all, even if they have
nothing to do with PKINIT. This will be fixed soon.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev