Where is this notion coming from that OpenSSL is going to drop MD5 or SHA1 support any time soon? That's inconceivable to me.
On Jan 27, 2017 3:21 PM, "Eric S. Raymond" <[email protected]> wrote: > Mark Atwood <[email protected]>: > > We do need to get wacking on the weeds on removing more of this thicket. > > Here are our constraints: > > * Daniel has stated that he prefers the OpenSSL implementations of MD5 and > SHA-1. He's our crypto expert, so he gets to make that call and I would > have no grounds to even argue with it. > > * We have beem warned that these might be removed from OpenSSL in the > unspecified future. > > * libsodium does not carry MD5 and SHA-1, and won't for the same reason > that they might be removed > > Therefore, here are our options: > > 1. Make OpenSSL a required library and remove the local MD5/SHA-1. Daniel > gets > his optimizations, I get to remove code, and all is happy unless the axe > falls and MD5/SHA-1 are removed from OpenSSL. > > 2. Do nothing. OpenSSL remains optional and we're covered against OpenSSL > yanking those festures. > -- > <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a> > _______________________________________________ > devel mailing list > [email protected] > http://lists.ntpsec.org/mailman/listinfo/devel >
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
