OpenSSL is not going to drop them anytime soon. if/when they do, we can add back inline support in better understood ways.
Daniel, if we make OpenSSL a requirement, can we drop libsodium? Daniel, which rev of OpenSSL should we require? (Not 0.9.x et al) If/when we encounter a target without OpenSSL, we can add the complexity back, but for now, we keep paring away.) ..m On Fri, Jan 27, 2017 at 12:23 PM Daniel Franke <[email protected]> wrote: > Where is this notion coming from that OpenSSL is going to drop MD5 or SHA1 > support any time soon? That's inconceivable to me. > > On Jan 27, 2017 3:21 PM, "Eric S. Raymond" <[email protected]> wrote: > > Mark Atwood <[email protected]>: > > We do need to get wacking on the weeds on removing more of this thicket. > > Here are our constraints: > > * Daniel has stated that he prefers the OpenSSL implementations of MD5 and > SHA-1. He's our crypto expert, so he gets to make that call and I would > have no grounds to even argue with it. > > * We have beem warned that these might be removed from OpenSSL in the > unspecified future. > > * libsodium does not carry MD5 and SHA-1, and won't for the same reason > that they might be removed > > Therefore, here are our options: > > 1. Make OpenSSL a required library and remove the local MD5/SHA-1. Daniel > gets > his optimizations, I get to remove code, and all is happy unless the axe > falls and MD5/SHA-1 are removed from OpenSSL. > > 2. Do nothing. OpenSSL remains optional and we're covered against OpenSSL > yanking those festures. > -- > <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a> > > _______________________________________________ > devel mailing list > [email protected] > http://lists.ntpsec.org/mailman/listinfo/devel > >
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
