[openssl-dev] how to compile out selected ciphers
Hubert Kario
hkario at redhat.com
Thu Aug 31 13:52:16 UTC 2017
On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote:
> In message
> <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=Jw5asgQ at mail.gmail.com> on
> Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat
> <bhat.jayalakshmi at gmail.com> said:
>
> bhat.jayalakshmi> Hi All,
> bhat.jayalakshmi>
> bhat.jayalakshmi> I am trying to build openssl. As part of that I want
> bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc.
> bhat.jayalakshmi>
> bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure
> bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5
> bhat.jayalakshmi> directories are still getting compiled.
> bhat.jayalakshmi>
> bhat.jayalakshmi> Please can you let me know what could be going wrong.
>
> Your configuration line says 'no-md5', which is an attempt to remove
> MD5, not MD4. Your config line should be this:
>
> ./config no-md4 no-rc5
>
> It's possible, though, that you really meant to remove MD5...
> unfortunately, it's such an integral part of most SSL/TLS protocol
> versions that we cannot for the moment allow it to be disabled.
> That's the issue you're hitting.
It's not integral part of TLS 1.2 though so allowing for disabling of MD5 when
SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable.
At the same time, the problem of data-at-rest remains, because while disabling
it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8
(private keys), CMS or S/MIME at the same time could create issues that
manifest only quite a bit later.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170831/b0a1b7b7/attachment.sig>
More information about the openssl-dev
mailing list