Sorry to revive this old thread, I did not see any recent updates.
If there are - please point me that way, and apologies in advance.
I saw a reference to SunOS libc compatibility issues, implying we
never remove functionality. I want to be clear - we do. We do it
by giving our customers
To close off this thread: OpenSSL will not be making any changes.
The team voted on moving a set of algorithms to maintenance mode, and
removing the corresponding assembly implementations from libcrypto, but the
vote did not pass.
Emilia
On Fri, Nov 27, 2015 at 10:19 AM, Tim Hudson
On Friday 20 November 2015 12:58:59 John Denker wrote:
> On 11/19/2015 12:28 PM, Viktor Dukhovni wrote:
> > What algorithms people use on
> > their own data is their choice and risk decision not ours.
>
> To say the same thing yet another way, fundamentally we have a
> communication problem, or
t;
<openssl-dev@openssl.org<mailto:openssl-dev@openssl.org>>
From: "Short, Todd"
Sent by: "openssl-dev"
Date: 11/21/2015 08:28AM
Cc: "openssl-us...@openssl.org<mailto:openssl-us...@openssl.org>"
<openssl-us...@openssl.org<mailto:openssl-us..
On 11/19/2015 12:28 PM, Viktor Dukhovni wrote:
> What algorithms people use on
> their own data is their choice and risk decision not ours.
I heartily agree with the sentiment. A low- or mid-level library
is not the right place to be making and enshrining policy decisions.
We can take yet
...@openssl.org" <openssl-us...@openssl.org>Subject: Re: [openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
While I am all for simplicity, I also think that removing functionality is a “bad idea”.
To reduce the support burden, deprecate the ciph
On Čt, 2015-11-19 at 02:12 +, Viktor Dukhovni wrote:
> On Wed, Nov 18, 2015 at 02:34:41PM -0600, Benjamin Kaduk wrote:
>
> > > No, of course not. But after letting people depend on this “single
> > > cryptographic library” for many years, telling them “too bad” isn’t very
> > > nice.
> >
> >
On Thu, Nov 19, 2015 at 11:01:26AM +0100, Tomas Mraz wrote:
> 3. remove the respective EVP_add_cipher(), EVP_add_digest(),... from the
> OpenSSL_add* functions so the users have to explicitly add these to use
> them automatically.
This does not work. Often the code that calls
On Thu, Nov 19, 2015 at 05:07:38PM +, Richard Moore wrote:
>Yes, but a several people (including me) disagree with you. And one of the
> options that has been suggested is to keep the code but have it disabled by
> default.
Note, we're talking about "disabled" as opposed to "not compiled".
On 19 November 2015 at 19:28, Viktor Dukhovni
wrote:
> On Thu, Nov 19, 2015 at 05:07:38PM +, Richard Moore wrote:
>
> >Yes, but a several people (including me) disagree with you. And one of
> the
> > options that has been suggested is to keep the code but have it
On 11/19/15, 5:01 , "openssl-dev on behalf of Tomas Mraz"
wrote:
>On Čt, 2015-11-19 at 02:12 +, Viktor Dukhovni wrote:
>> On Wed, Nov 18, 2015 at 02:34:41PM -0600, Benjamin Kaduk wrote:
>>
>>> I guess I'm just having a hard time
On Wednesday 18 November 2015 14:34:41 Benjamin Kaduk wrote:
> On 11/18/2015 12:52 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> > On 11/18/15, 12:12 , "openssl-dev on behalf of Benjamin Kaduk"
> >
> >
wrote:
> >> On 11/18/2015 07:05
On 19 November 2015 at 16:56, Blumenthal, Uri - 0553 - MITLL wrote:
> Heh. I actually tested building all releases of openssl after 0.9.7 a few
> months back - several refuse to build with the default options on 64 bit.
> In addition my experience shows that compilers get
>> I did not say “no maintenance costs”. I said that I concur that the
>> maintenance costs for such code would be minimal, which usually it is.
>>
>> I’m against “disabling by default”. Removing access to such code from libssl
>> is OK, and the correct thing to do from the security point of
On 11/18/2015 07:05 AM, Hubert Kario wrote:
> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to support
> both relatively modern TLS with user certificates, preferably the newest
> cryptosystems and hashes as well as the oldest ones that were
> standardised and used.
>
> That
On 11/18/15, 12:12 , "openssl-dev on behalf of Benjamin Kaduk"
wrote:
>On 11/18/2015 07:05 AM, Hubert Kario wrote:
>> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to
>>support
>> both relatively modern TLS with
On Wednesday 18 November 2015 11:12:59 Benjamin Kaduk wrote:
> On 11/18/2015 07:05 AM, Hubert Kario wrote:
> > So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to
> > support both relatively modern TLS with user certificates,
> > preferably the newest cryptosystems and hashes as well
On Wed, Nov 18, 2015 at 02:34:41PM -0600, Benjamin Kaduk wrote:
> > No, of course not. But after letting people depend on this “single
> > cryptographic library” for many years, telling them “too bad” isn’t very
> > nice.
>
> I guess I'm just having a hard time wrapping my head around why, upon
On Tue, Nov 17, 2015 at 11:12 AM, Jeffrey Walton wrote:
> > MD2 - (The argument that someone somewhere may want to keep verifying old
> > MD2 signatures on self-signed certs doesn't seem like a compelling enough
> > reason to me. It's been disabled by default since OpenSSL
On Tue, Nov 17, 2015 at 7:21 AM, Emilia Käsper wrote:
>
>
> On Tue, Nov 17, 2015 at 11:12 AM, Jeffrey Walton wrote:
>>
>> > MD2 - (The argument that someone somewhere may want to keep verifying
>> > old
>> > MD2 signatures on self-signed certs doesn't seem
> MD2 - (The argument that someone somewhere may want to keep verifying old
> MD2 signatures on self-signed certs doesn't seem like a compelling enough
> reason to me. It's been disabled by default since OpenSSL 1.0.0.)
> ...
Apple still provides two Verisign certificates using
On 11/17/2015 12:00 PM, Jeffrey Walton wrote:
>
>
> Also, if OpenSSL requires iOS 9 or above, then its setting policy for users.
In some sense, yes. But it has always done so -- OpenSSL only supports
certain platforms, and certain versions of certain platforms. There are
prerequisites to being
On Mon, Nov 16, 2015 at 04:51:10PM +0100, Emilia Käsper wrote:
> As for specific deprecation strategies:
> - Don't forget that all applications will have to recompile against 1.1.
The EVP_get_cipherbyname() and EVP_get_digestbyname() interfaces
remain, so nothing changes at compile-time. Most
On 11/13/2015 09:31 AM, Jakob Bohm wrote:
> On 13/11/2015 14:40, Emilia Käsper wrote:
>> Hi all,
>>
>> We are considering removing from OpenSSL 1.1 known broken or outdated
>> cryptographic primitives. As you may know the forks have already done
>> this but I'd like to seek careful feedback for
On Fri, Nov 13, 2015, Benjamin Kaduk wrote:
>
> As another thread calls to mind, PKCS#12 could potentially just use
> triple-DES. (BTW, the CMS tests fail when openssl is configured with
> no-rc2, due to this; I have a WIP patch sitting around.)
>
The issue is that some cuurent software
> ALL BINARY ELLIPTIC CURVES
This one may be premature.
I understand the TLS WG is moving against it. However, I am aware of
implementations of Shoup's ECIES, and they, in turn, depend on
OpenSSL. I don't know if the ECIES implementations rely solely on
prime fields or not, however.
> BLOWFISH
26 matches
Mail list logo