Re: how to compile out selected ciphers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: how to compile out selected ciphers

Hubert Kario
On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote:

> In message
> <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=[hidden email]> on
> Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat
> <[hidden email]> said:
>
> bhat.jayalakshmi> Hi All,
> bhat.jayalakshmi>
> bhat.jayalakshmi> I am trying to build openssl. As part of that I want
> bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc.
> bhat.jayalakshmi>
> bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure
> bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5
> bhat.jayalakshmi> directories are still getting compiled.
> bhat.jayalakshmi>
> bhat.jayalakshmi> Please can you let me know what could be going wrong.
>
> Your configuration line says 'no-md5', which is an attempt to remove
> MD5, not MD4.  Your config line should be this:
>
>     ./config no-md4 no-rc5
>
> It's possible, though, that you really meant to remove MD5...
> unfortunately, it's such an integral part of most SSL/TLS protocol
> versions that we cannot for the moment allow it to be disabled.
> That's the issue you're hitting.
It's not integral part of TLS 1.2 though so allowing for disabling of MD5 when
SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable.

At the same time, the problem of data-at-rest remains, because while disabling
it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8
(private keys), CMS or S/MIME at the same time could create issues that
manifest only quite a bit later.

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: how to compile out selected ciphers

Matt Caswell-2


On 31/08/17 14:52, Hubert Kario wrote:

> On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote:
>> In message
>> <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=[hidden email]> on
>> Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat
>> <[hidden email]> said:
>>
>> bhat.jayalakshmi> Hi All,
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> I am trying to build openssl. As part of that I want
>> bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc.
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure
>> bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5
>> bhat.jayalakshmi> directories are still getting compiled.
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> Please can you let me know what could be going wrong.
>>
>> Your configuration line says 'no-md5', which is an attempt to remove
>> MD5, not MD4.  Your config line should be this:
>>
>>     ./config no-md4 no-rc5
>>
>> It's possible, though, that you really meant to remove MD5...
>> unfortunately, it's such an integral part of most SSL/TLS protocol
>> versions that we cannot for the moment allow it to be disabled.
>> That's the issue you're hitting.
>
> It's not integral part of TLS 1.2 though so allowing for disabling of MD5 when
> SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable.
>
> At the same time, the problem of data-at-rest remains, because while disabling
> it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8
> (private keys), CMS or S/MIME at the same time could create issues that
> manifest only quite a bit later.
>
Note (as an aside) that no-md5 was removed as an option from OpenSSL
1.1.0 (and master).

Matt



--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (491 bytes) Download Attachment