Current status of --enable-crypto
Kurt Roeckx
kurt at roeckx.be
Fri Jan 27 21:42:43 UTC 2017
On Fri, Jan 27, 2017 at 03:42:09PM -0500, Eric S. Raymond wrote:
> Daniel Franke <dfoxfranke at gmail.com>:
> > Where is this notion coming from that OpenSSL is going to drop MD5 or SHA1
> > support any time soon? That's inconceivable to me.
>
> I think it was either Achim Gratz or Kurt Roecx (I can't easily search to find
> out right now). Somebody serious, anyway.
So as one of the OpenSSL people, it seems unrealistic to even have
a compile time option to remove MD5 and SHA-1 at this time. Both
are needed for TLS 1.0. It seems unrealistic that we can drop
support for that in the next 5 years. We still support SSLv3, but
it's disabled by default. I hope to be able to disable TLS 1.0 by
default in a few years. At that time it _might_ be possible to
have an option to disable MD5 and SHA-1, but it would require
someone to actually put an effort into that. And some people might
actually want to have such an option, so maybe someone will.
But even then it seems unlikely that they get disabled by default
the first 5 years. If you only care about the preimage resistance,
they are still fine. There are also just too many applications that
would get broken by disabling it.
Kurt
More information about the devel
mailing list