My plans, suggestions and whatever

Hal Murray hmurray at megapathdsl.net
Fri Feb 8 21:51:15 UTC 2019


>> making it build on 
>> older versions of OpenSSL.

> Is this important? I haven't followed this exactly, but isn't AES_SIV_CMAC
> only available in bleeding edge (possibly not even released) OpenSSL? If so,
> this is only going to be useful if you're willing to backport the
> AES_SIV_CMAC and use it separately. That might be wise to do, though. 

Older, but not very old.

I'm debugging on OpenSSL 1.1.1a which supports TLS1.3 but is not widely 
deployed yet.

So far, older goes back as far as 1.0.1e which support TLS1.2 but doesn't have 
the fancy new API to set the min/max versions.  But they do have a way to set 
"the" version which is all we need since we don't want anything before 1.2 and 
they don't support anything newer.

In particular, Debian is on 1.1.0j which doesn't support 1.3

I don't plan to spend any time supporting ancient versions but it's only a few 
lines of code to make sure that older versions don't use pre 1.2 versions of 
SSL/TLS.
 
Thanks for following closely enough to ask a good question.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list