[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: Re: [openssl-dev] how to compile out selected ciphers
From: Matt Caswell <matt () openssl ! org>
Date: 2017-08-31 14:06:51
Message-ID: b25ac28f-ab1c-c925-7f72-1d056d58ace8 () openssl ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
On 31/08/17 14:52, Hubert Kario wrote:
> On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote:
>> In message
>> <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=Jw5asgQ@mail.gmail.com> on
>> Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat
>> <bhat.jayalakshmi@gmail.com> said:
>>
>> bhat.jayalakshmi> Hi All,
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> I am trying to build openssl. As part of that I want
>> bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc.
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure
>> bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5
>> bhat.jayalakshmi> directories are still getting compiled.
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> Please can you let me know what could be going wrong.
>>
>> Your configuration line says 'no-md5', which is an attempt to remove
>> MD5, not MD4. Your config line should be this:
>>
>> ./config no-md4 no-rc5
>>
>> It's possible, though, that you really meant to remove MD5...
>> unfortunately, it's such an integral part of most SSL/TLS protocol
>> versions that we cannot for the moment allow it to be disabled.
>> That's the issue you're hitting.
>
> It's not integral part of TLS 1.2 though so allowing for disabling of MD5 when
> SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable.
>
> At the same time, the problem of data-at-rest remains, because while disabling
> it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8
> (private keys), CMS or S/MIME at the same time could create issues that
> manifest only quite a bit later.
>
Note (as an aside) that no-md5 was removed as an option from OpenSSL
1.1.0 (and master).
Matt
["signature.asc" (application/pgp-signature)]
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic