From 072dcc606aefd7ed7f82fb97210e76d96c495805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 22 Feb 2007 01:24:01 +0000
Subject: [PATCH] x

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20272 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 ChangeLog | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 21865c0f8..533d0c8bd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,19 @@
 2007-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
+	* kdc/kerberos5.c: Select a session enctype from the list of the
+	crypto systems supported enctype, is supported by the client and
+	is one of the enctype of the enctype of the krbtgt.
+	
+	The later is used as a hint what enctype all KDC are supporting to
+	make sure a newer version of KDC wont generate a session enctype
+	that and older version of a KDC in the same realm can't decrypt.
+	
+	But if the KDC admin is paranoid and doesn't want to have "no the
+	best" enctypes on the krbtgt, lets save the best pick from the
+	client list and hope that that will work for any other KDCs.
+	
+	Reported by metze.
+
 	* kdc/hprop.c (propagate_database): on any failure, drop the
 	connection to the peer and try next one.