Wilfredo Sanchez wrote:
>
> I need some help with making a US-export happy OpenSSL.
>
> So I had a phone call with the NSA here and asked them what I can
> get away with. Note that the conversation was specific to Apple, and
> not necessarily applicable to my fellow Americans, but I doubt that
> we are suoer special.
>
> 56-bit DES is no problem.
> 56-bit restricted RSA is no problem.
56-bit RSA? Surely not! Did you mean 1024 bit?
> 3DES is not allowed.
> In general, they seemed to imply 56 bits of anything is no
> problem, but I'll have to double check that. Probably if there were
> such as thing as 128-bit rot13 is would not be allowed. They seem
> preoccupied with bits. I'm waiting on the actually approval to come
> to my desk to be sure about this area; our lawyers have it.
>
> RSA patents aren't a problem for us.
>
> The plan is for OpenSSL to be a dynamic shared library.
> Therefore, if you manage to get along of a stronger version and drop
> it in, all binaries should be able to take advantage of the stronger
> crypto. Yes, I brought this up in the phone call, and it's OK. It
> must, however, be necessary to replace (or edit) the library binary
> in order to enable stronger encryption.
>
> But I need to make OpenSSL comply with the above bit limits and
> whatnot. Is this:
>
> a) Doable? Easy? How do I proceed?
> b) Still going to give me a (moderately) useful SSL?
Depends what you want to do. If you only want to do SSL, then just strip
out the ciphersuites you don't want to allow. Note that you'll have to
enable the "new" ciphersuites to get 1024/56, and further note that they
don't work properly coz they get ordered incorrectly in the negotiation
- someone was working on that, but I've been megabusy lately and lost
track of the status - where's that at?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
