I've attempted to trace through the source code to verify this, but I'm not a C programmer so just ended up in knots.
When encrypting using a password it is hashed to give key and IV. It appears and is stated in the docs that the default password hash used is crypt style, which truncates the password to the first 8 bytes, effectively limiting encryption strength to 64 bits at best regardless of chosen algorithm. There appears to be no way to override the default (except when specifically using the password hash function in isolation). This may also impact other password based functions (SSL/TLS, certificate/PK passwords). Could someone familiar with the relevant parts of the source code check this, and hopefully tell me I got myself misdirected. Alan. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
