[33088] in Kerberos
Re: Kerberos 1.9, can it be compiled to use OpenSSL .9.8 (FIPS140-2)?
daemon@ATHENA.MIT.EDU (Robert)
Tue Jan 11 16:31:03 2011
Message-ID: <664362.92356.qm@web53901.mail.re2.yahoo.com>
Date: Tue, 11 Jan 2011 13:30:59 -0800 (PST)
From: Robert <fuzzyhypothesis@yahoo.com>
To: Tom Yu <tlyu@mit.edu>
In-Reply-To: <ldvfwszb11m.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Tom,
That would be great (the patch that is). Thank you.
I have a feeling I will not be the only one asking about this as other folks
start looking to bump up from 1.8.x.
Especially since it doesn't look like OSF will get OpenSSL 1.0 FIPS approved any
time soon.
FH
> Problem is I want to use the FIPS-140-2 certified version of
> OpenSSL, which is currently at .9.8. Is there a different option to
> set this up that I am missing? Or is 1.9 only going to use OpenSSL
> 1.0 and up?
It's a known issue due to the use of the CTS mode API that is only
present in OpenSSL >=1.0:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6747&user=guest&pass=guest
It should be possible to implement CTS mode on top of the CBC mode of
OpenSSL 0.9.8. We would be happy to consider a patch. There may be
other dependencies on OpenSSL >=1.0 but that is the main one that I am
aware of.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
