krb5: disable automatic kx509 by default

This commit is contained in:
Nicolas Williams
2019-11-13 17:42:25 -06:00
parent 84ffa22c93
commit ba5bb07495
2 changed files with 15 additions and 8 deletions

View File

@@ -809,14 +809,20 @@ krb5_cc_close(krb5_context context,
*/
if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
_krb5_debug(context, 2, "attempting to fetch a certificate using "
"kx509");
ret = krb5_kx509(context, id, NULL);
if (ret)
_krb5_debug(context, 2, "failed to fetch a certificate");
else
_krb5_debug(context, 2, "fetched a certificate");
ret = 0;
krb5_boolean enabled;
krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
&enabled);
if (enabled) {
_krb5_debug(context, 2, "attempting to fetch a certificate using "
"kx509");
ret = krb5_kx509(context, id, NULL);
if (ret)
_krb5_debug(context, 2, "failed to fetch a certificate");
else
_krb5_debug(context, 2, "fetched a certificate");
ret = 0;
}
}
ret = (*id->ops->close)(context, id);

View File

@@ -2,6 +2,7 @@
default_realm = TEST.H5L.SE
no-addresses = TRUE
allow_weak_crypto = TRUE
enable_kx509 = true
[appdefaults]
pkinit_anchors = FILE:@objdir@/ca.crt