[openssl-dev] how to compile out selected ciphers
Matt Caswell
matt at openssl.org
Thu Aug 31 14:06:51 UTC 2017
On 31/08/17 14:52, Hubert Kario wrote:
> On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote:
>> In message
>> <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=Jw5asgQ at mail.gmail.com> on
>> Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat
>> <bhat.jayalakshmi at gmail.com> said:
>>
>> bhat.jayalakshmi> Hi All,
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> I am trying to build openssl. As part of that I want
>> bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc.
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure
>> bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5
>> bhat.jayalakshmi> directories are still getting compiled.
>> bhat.jayalakshmi>
>> bhat.jayalakshmi> Please can you let me know what could be going wrong.
>>
>> Your configuration line says 'no-md5', which is an attempt to remove
>> MD5, not MD4. Your config line should be this:
>>
>> ./config no-md4 no-rc5
>>
>> It's possible, though, that you really meant to remove MD5...
>> unfortunately, it's such an integral part of most SSL/TLS protocol
>> versions that we cannot for the moment allow it to be disabled.
>> That's the issue you're hitting.
>
> It's not integral part of TLS 1.2 though so allowing for disabling of MD5 when
> SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable.
>
> At the same time, the problem of data-at-rest remains, because while disabling
> it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8
> (private keys), CMS or S/MIME at the same time could create issues that
> manifest only quite a bit later.
>
Note (as an aside) that no-md5 was removed as an option from OpenSSL
1.1.0 (and master).
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 480 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170831/14a52ffd/attachment.sig>
More information about the openssl-dev
mailing list