You are likely on your own here. I’m surprised the base system kinit ever worked with OpenSSL in FIPS mode. Given the age of the Heimdal code (and I believe dependence on algorithms that should be deprecated), I would strongly suggest looking at Kerberos in ports as a path forward as they will likely be better supported with modern crypto.
Gordon > On Apr 19, 2024, at 08:12, Wall, Stephen <stephen.w...@redcom.com> wrote: > > >> >> FreeBSD-SA-24:03.unbound Security Advisory >> >> Topic: Multiple vulnerabilities in unbound > > Since upgrading to p6 in response to this SA, we've found that kinit has > started > failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts to > load > the legacy OpenSSL provider, which we do not install on our systems. > Furthermore, it loads the default provider as well, which we specifically do > not > load when systems are configured for FIPS operation. > > What is our exposure if we simple revert this commit? Are there any CVE's > associated with it? Is there a way to disable the ciphers at build time that > can trigger the segfaults? > > Or am I on my own resolving this because we do not use the legacy provider > (I.e. > not a default system)? > > Thanks for your consideration. > > - Steve Wall > > [1] > https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76
