Old OpenSSL Cpmpaitibility

James Browning jamesb192 at jamesb192.com
Wed Dec 18 11:11:16 UTC 2024


On Wednesday, December 18, 2024 1:03:16 AM Pacific Standard Time Hal Murray via 
devel wrote:

> Do we have an official support policy?  I'm expecting something like "runs
> on supported versions of most Unix like OSes with ntp_adjtime".  Should we
> add "using supported versions of OpenSSL"?

devel/hacking mentions an OpenSSL 1.1.1 minimum w/ the use of RAND_Bytes() and 
symmetric algorithms.

> We need crypto for hashing IPv6 addresses, shared key authentication, the
> cookies that mode6 uses, and checking the leapsecond file.

MD5 is used for IPv6 clock address munging; SHA is used for moe6 nonce, and 
leap-second validation.

> There was some maybe related discussion a while ago for FIPS mode.  It
> would be not-too-hard to recover the old stand-alone MD5 code.  I think
> that covers the IPv6, cookie, and leapsecond usage.  We would have to add
> an ifdef to skip the shared key code which might be useful anyway.

I think the standalone MD5 and SHA code is long gone. There current code only 
wraps around OpenSSL

The only semi-production use I have for the symmetric auth code is to sign 
mode 6 packets. Otherwise, I only use it for testing. I would be nice to move 
the control interface off of port 123 and away from UDP in general.




More information about the devel mailing list