Hello, > for my embedded system, I want to have an OpenSSL lib with only the > barely necessary functionality to speak with its home station. So I > decided to only support TLSv1, and (in accordance with Rescorla's > recommendation on p.142) only RSA, RC4 and SHA-1. > > Now the OpenSSL Configure script (version 0.9.7g) has for TLSv1 (and for > SSLv3 the requirements are even wider): > > $no_tls1=1 if ($no_md5 || $no_sha); > $no_tls1=1 if ($no_dh); > > So, even if we only want RSA and RC4 and SHA-1, I must still configure > MD5 and DH. I succeed in disabling DSA, DES and AES (although these > require insertion of some #ifndef OPENSSL_NO_DES etc), but I cannot > disable ASN1 or PKCS7. > > Questions: > Why cannot TLSv1 run without MD5 or DH? MD5 (and SHA1) is defined in RFC2246: The TLS Protocol Version 1.0 as functions used to generate key_material, master_secret, and Finished packet. You can not have "portable" TLS1 implementation without MD5.
Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
