Hi Richard, Thanks for your quick response to my issue. My motivation for disabling HMAC along with many other ciphers is in response to product requirements which specify that only non-patented (or expired patent) and exportable (from the US) encryption software be included. Since I'm kind of a newbie to SSL and thinking that all I need is RSA, MD5 and RC4 I eliminated all the rest as in:
no-idea no-bf no-cast no-dsa no-dh no-hmac no-md2 no-mdc2 no-rc2 no-rc5 Further reading has shown me that HMAC probably needs to be included, as you mentioned. BTW, there is a similar problem at line 62 of test/md2test.c where there is an include <openssl/md2.h> which is not ifdef'ed out when no-md2 is desired. This also causes the build to break. Is MD2 another one of those ciphers that noone disables? Assuming that I want to exclude all encryption which is either patented or not freely exportable worldwide, which ones would you recommend to disable? I'm pretty sure that "idea" needs to be disabled. Also I'm pretty sure that 3DES can't be used but I'm not sure how to be certain it is disabled. I appreciate any advice that you can offer. Regards, /bob At 01:38 AM 2/19/2004, you wrote: >In message <[EMAIL PROTECTED]> on Thu, 19 Feb 2004 >08:35:59 +0100 (MET), "Bob Fishman via RT" <[EMAIL PROTECTED]> said: > >rt> >rt> Greetings, >rt> >rt> System and version: >rt> >rt> OpenSSL 0.9.7c >rt> >rt> >rt> >rt> Type: >rt> Building, Configuration Error >rt> >rt> >rt> Description: >rt> When doing a make of OpenSSL with HMAC configured off (no-hmac) the >code in >rt> ssl/t1_enc.c appears to incorrectly include openssl/hmac.h. This causes >rt> the make to abort. >rt> >rt> To duplicate this problem do: >rt> >rt> ./config no-idea no-bf no-cast no-hmac no-threads -fPIC >rt> make depend >rt> make >rt> >rt> >rt> Suggested fix: >rt> >rt> At line 116 the line: >rt> >rt> #include <openssl/hmac.h> >rt> >rt> should be wrapped in an ifndef OPENSSL_NO_HMAC >rt> >rt> like this: >rt> >rt> #ifndef OPENSSL_NO_HMAC >rt> #include <openssl/hmac.h> >rt> #endif > >That won't fix the problem, really. If you look at the TLS RFC, it's >*highly* dependent on HMAC. You might as well disable TLS (no-tls1) >while you're at it. > >Out of curiosity, why do you want to disable HMAC? > >----- >Please consider sponsoring my work on free software. >See http://www.free.lp.se/sponsoring.html for details. > >-- >Richard Levitte \ Tunnlandsv�gen 3 \ [EMAIL PROTECTED] >[EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 > \ SWEDEN \ or +46-708-26 53 44 >Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] >Member of the OpenSSL development team: http://www.openssl.org/ > >Unsolicited commercial email is subject to an archival fee of $400. >See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
