Old OpenSSL Cpmpaitibility
James Browning
jamesb192 at jamesb192.com
Wed Dec 18 11:11:16 UTC 2024
On Wednesday, December 18, 2024 1:03:16 AM Pacific Standard Time Hal Murray via
devel wrote:
> Do we have an official support policy? I'm expecting something like "runs
> on supported versions of most Unix like OSes with ntp_adjtime". Should we
> add "using supported versions of OpenSSL"?
devel/hacking mentions an OpenSSL 1.1.1 minimum w/ the use of RAND_Bytes() and
symmetric algorithms.
> We need crypto for hashing IPv6 addresses, shared key authentication, the
> cookies that mode6 uses, and checking the leapsecond file.
MD5 is used for IPv6 clock address munging; SHA is used for moe6 nonce, and
leap-second validation.
> There was some maybe related discussion a while ago for FIPS mode. It
> would be not-too-hard to recover the old stand-alone MD5 code. I think
> that covers the IPv6, cookie, and leapsecond usage. We would have to add
> an ifdef to skip the shared key code which might be useful anyway.
I think the standalone MD5 and SHA code is long gone. There current code only
wraps around OpenSSL
The only semi-production use I have for the symmetric auth code is to sign
mode 6 packets. Otherwise, I only use it for testing. I would be nice to move
the control interface off of port 123 and away from UDP in general.
More information about the devel
mailing list