oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: don't require krbtgt otherName match for Win2K

Browse Source 
Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.
This commit is contained in:
Luke Howard
2019-05-15 10:44:55 +10:00
committed by Jeffrey Altman
parent c634146b14
commit 8350f34a05
3 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/krb5/pkinit.c
View File

@@ -784,6 +784,8 @@ _krb5_pk_mk_padata(krb5_context context,
req_body->realm,
"pkinit_require_krbtgt_otherName",
NULL);
if (ic_flags & KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK)
ctx->require_krbtgt_otherName = FALSE;
ctx->require_hostname_match =
krb5_config_get_bool_default(context, NULL,