[19648] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: pkinit plugin logic in pkinit_srv.c

daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 29 16:18:17 2017

To: Craig Huckabee <craig.huckabee@spawar.navy.mil>
From: Greg Hudson <ghudson@MIT.EDU>
Message-ID: <bff3d958-bb11-fe34-3ec9-b45891106759@mit.edu>
Date: Tue, 29 Aug 2017 16:18:01 -0400
MIME-Version: 1.0
In-Reply-To: <b3dd1954-7cfa-cf44-b9c3-a96dc3625e52@mit.edu>
Cc: krbdev@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@MIT.EDU

On 08/24/2017 03:26 PM, Greg Hudson wrote:
> It may be that we presently have the wrong behavior if the cert contains
> a UPN SAN and pkinit_allow_upn = false (the default).  In that case the
> upn module should probably return KRB5_PLUGIN_NO_HANDLE but might now be
> returning a mismatch.

Just to close the loop on this: it turns out the san module was
explicitly rejecting certs with any SANs at all, even if they have
nothing to do with PKINIT.  This will be fixed soon.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post