Created attachment 247736 [details] Rudimentary diff to get this working again Using the security/heimdal port fails on FreeBSD 14.0 when trying to use kinit to get a Kerberos ticket for a user. The error message is > kinit: rc4 8: EVP_CipherInit_ex einit I've spent some time trying to track this down as like the issue https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275915 it's due to OpenSSL policies disabling the RC4 cipher. Unlike issue 275915 you cannot work around this code as even though the etype used in the Kerberos exchange is based on AES the code itself is doing a basic validation test to see if RC4 is available https://github.com/heimdal/heimdal/blob/366016b1f6ceb760c99231b15033e4dacf5060c9/lib/hcrypto/validate.c#L104-L212. The only way to get this working is to remove the tests and recompile the code. Potentially there's a way to re-enable RC4 in OpenSSL but I need to look further into this. I've also submitted an issue report on the upstream Heimdal repo https://github.com/heimdal/heimdal/issues/1224 which contains more details on the bug.
A workaround to enable the legacy provider in OpenSSL is to create a file ``` openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 ``` Then use `OPENSSL_CONF=/path/to/openssl.cnf kinit user@DOMAIN.COM`. This can also be set in the system wide configuration `/etc/ssl/openssl.cnf` but the env var way allows you to get `kinit` working for now.