On 08/24/2015 12:59 PM, Glenn Machin wrote (off list): > Here is the raw packet. Let me know if there is anything else I can do.
I am unfortunately not able to duplicate the error in my setup using either krb5 1.10.x or the master branch, sending this exact packet to the KDC. If I temporarily modify the code to suppress all of the expected errors from X509_verify(), SAN checking, EKU checking, minimum DH parameter enforcement, and timestamp checking, the KDC issues a ticket. None of the suppressed errors appear as ASN.1 errors like you're seeing. My system has OpenSSL 1.0.1f. What version do you have? Also, it's conceivable that your error is manifesting in X509_verify() after trust is established, or happens while encoding AD-INITIAL-VERIFIED-CAS. If you send me your CA certificate (not the private key, of course, just the cert), I can perform a better test. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
