Current status of --enable-crypto

Mark Atwood fallenpegasus at gmail.com
Fri Jan 27 18:44:17 UTC 2017


WolfSSL has a "we are compatible with any OSI approved license" codecil to
their license.  I can get a formal signed commitment and document from the
CEO reinforcing it.

We do need to get wacking on the weeds on removing more of this thicket.

..m



On Fri, Jan 27, 2017 at 10:38 AM Gary E. Miller <gem at rellim.com> wrote:

> Yo Mark!
>
> On Fri, 27 Jan 2017 18:14:15 +0000
> Mark Atwood <fallenpegasus at gmail.com> wrote:
>
> > If we are going to have an SSL dependency, I have a pretty strong
> > preference towards WolfSSL
>
> It may be the best, but it is not in Gentoo.  I suspect few distros have
> it.  As we see from the libsodium mess, using non standard libs is a
> massive increase in difficulty.
>
> > if we are going to have an OpenSSL dependency, it needs to be to the
> > latest stable OpenSSL release.
>
> We gotta support what crap users have.
>
> > What would be using an SSL library for, that libsodium does not
> > already provide?
>
> That really needs an audit.  waf seems to check for a lot of openssl stuff
> that is never used.
>
> My quick check shows md5 and sha1.
>
> And even though --enable-crypto is gone, there are still a lot of
> #ifdef HAVE_OPENSSL around.
>
> > What all are we using libsodium right now for?
>
> We use libsodium to read /dev/random, or whatever equivalanet the OS
> has.  libsodium does not support md5 or sha1.
>
> OTOH, openssl does have RAND_bytes().  Why do we not use that, and get rid
> of libsodium?  Most projects consider it good enough.
>
> And, don't forget, libisc is still in the tree with its own copies of
> md5 and sha1.  Nuke it!
>
> RGDS
> GARY
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>         gem at rellim.com  Tel:+1 541 382 8588 <(541)%20382-8588>
>
>             Veritas liberabit vos. -- Quid est veritas?
>     "If you can’t measure it, you can’t improve it." - Lord Kelvin
> _______________________________________________
> devel mailing list
> devel at ntpsec.org
> http://lists.ntpsec.org/mailman/listinfo/devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170127/f3f45d1a/attachment.html>


More information about the devel mailing list