LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: openssl and curves
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Sat, 21 Feb 2015 23:58:08 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (44 lines)

On Sat, Feb 21, 2015 at 11:02 PM, Andrew Z <[log in to unmask]> wrote:
> i hope someone had a chance to create an rpm for opessl that has all curves
> and doesn't mind to share the srpm.

You just conjured an amazing image involving, well, "all curves".

> Or maybe help me out by explaining what i need to enable in the config of
> the openssl to get them (curves) included. Currently i use this :
>
> + ./Configure --prefix=/usr --openssldir=/etc/pki/tls
> --system-ciphers-file=/etc/crypto-policies/back-ends/openssl.config zlib
> enable
> -camellia enable-seed enable-tlsext enable-rfc3779 enable-cms enable-md2
> no-mdc2 no-rc5 no-gost no-srp --with-krb5-flavor=MIT --engin
> esdir=/usr/lib64/openssl/engines --with-krb5-dir=/usr shared linux-x86_64
> fips
> Configuring for linux-x86_64
>     no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip
> dir)
>     no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
>     no-gost         [option]   OPENSSL_NO_GOST (skip dir)
>     no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
>     no-mdc2         [option]   OPENSSL_NO_MDC2 (skip dir)
>     no-rc5          [option]   OPENSSL_NO_RC5 (skip dir)
>     no-rsax         [forced]   OPENSSL_NO_RSAX (skip dir)
>     no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
>     no-srp          [option]   OPENSSL_NO_SRP (skip dir)
>     no-store        [experimental] OPENSSL_NO_STORE (skip dir)
>     no-unit-test    [default]  OPENSSL_NO_UNIT_TEST (skip dir)
>     no-zlib-dynamic [default]
> IsMK1MF=0
> CC            =gcc
>
>
> crypto is completely out of my league and i'm 99.9% sure i do _not_ know
> what i'm talking about ...

And this looks like a really, really bad idea. Not in the sense of
enabling all the curves you want, but in the sense of breaking every
SSL based system tools that might generally be willing to use other
types of cryptography. This will mean that your SSL based *clients*
will not be able to interoperate with public applications and sites
that use non-curve crypography.  Why would you want this?

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV