[openssl-project] Removing assembler for outdated algorithms
Viktor Dukhovni
viktor at dukhovni.org
Sat Feb 10 22:32:53 UTC 2018
On Sat, Feb 10, 2018 at 10:19:20PM +0000, Salz, Rich wrote:
> > Is blowfish actually outdated? I thought it had some significant use,
> > and don't recall any major weakness...
>
> In particular, IIRC OpenSSH uses blowfish, and links to OpenSSL for
> the underlying cipher...
>
> PGP use to be a heavy user, but now it only decrypts or does key-wrapping for compatibility; it no longer uses blowfish to encrypt data.
>
> SSH uses it, but according to https://bbs.archlinux.org/viewtopic.php?id=188613 it has been removed, circa 2014.
> Schneier recommends not using it, and use its successor(s) instead, which we don't implement.
Removed in 2014 is much too recent, there are still LTS systems
with older SSH versions, and modern platforms that may want to
interoperate. So I'm very reluctant to support removal of blowfish
ASM at this time...
--
Viktor.
More information about the openssl-project
mailing list