In message <[email protected]> on Sat, 10 Feb 2018 22:32:53 +0000, Viktor Dukhovni <[email protected]> said:
viktor> On Sat, Feb 10, 2018 at 10:19:20PM +0000, Salz, Rich wrote: viktor> viktor> > > Is blowfish actually outdated? I thought it had some significant use, viktor> > > and don't recall any major weakness... viktor> > viktor> > In particular, IIRC OpenSSH uses blowfish, and links to OpenSSL for viktor> > the underlying cipher... viktor> > viktor> > PGP use to be a heavy user, but now it only decrypts or does key-wrapping for compatibility; it no longer uses blowfish to encrypt data. viktor> > viktor> > SSH uses it, but according to https://bbs.archlinux.org/viewtopic.php?id=188613 it has been removed, circa 2014. viktor> > Schneier recommends not using it, and use its successor(s) instead, which we don't implement. viktor> viktor> Removed in 2014 is much too recent, there are still LTS systems viktor> with older SSH versions, and modern platforms that may want to viktor> interoperate. So I'm very reluctant to support removal of blowfish viktor> ASM at this time... Those same systems will probably not have the newest OpenSSL either, and OpenSSH on those machines will certainly not be linked with a newer OpenSSL... Cheers, Richard -- Richard Levitte [email protected] OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
