[33087] in Kerberos
Re: Kerberos 1.9, can it be compiled to use OpenSSL .9.8 (FIPS140-2)?
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue Jan 11 16:09:15 2011
To: Robert <fuzzyhypothesis@yahoo.com>
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 11 Jan 2011 16:09:09 -0500
In-Reply-To: <801342.53126.qm@web53904.mail.re2.yahoo.com>
(fuzzyhypothesis@yahoo.com's message of "Tue,
11 Jan 2011 12:55:21 -0800 (PST)")
Message-ID: <ldvfwszb11m.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Robert <fuzzyhypothesis@yahoo.com> writes:
> Problem is I want to use the FIPS-140-2 certified version of
> OpenSSL, which is currently at .9.8. Is there a different option to
> set this up that I am missing? Or is 1.9 only going to use OpenSSL
> 1.0 and up?
It's a known issue due to the use of the CTS mode API that is only
present in OpenSSL >=1.0:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6747&user=guest&pass=guest
It should be possible to implement CTS mode on top of the CBC mode of
OpenSSL 0.9.8. We would be happy to consider a patch. There may be
other dependencies on OpenSSL >=1.0 but that is the main one that I am
aware of.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
