<div dir="ltr">OpenSSL is not going to drop them anytime soon. if/when they do, we can add back inline support in better understood ways.<div><br></div><div>Daniel, if we make OpenSSL a requirement, can we drop libsodium?</div><div><br></div><div>Daniel, which rev of OpenSSL should we require? (Not 0.9.x et al)</div><div><br></div><div>If/when we encounter a target without OpenSSL, we can add the complexity back, but for now, we keep paring away.)</div><div><br></div><div>..m</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jan 27, 2017 at 12:23 PM Daniel Franke <<a href="mailto:dfoxfranke@gmail.com">dfoxfranke@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto" class="gmail_msg">Where is this notion coming from that OpenSSL is going to drop MD5 or SHA1 support any time soon? That's inconceivable to me.</div><div class="gmail_extra gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg"></div></div><div class="gmail_extra gmail_msg"><div class="gmail_quote gmail_msg">On Jan 27, 2017 3:21 PM, "Eric S. Raymond" <<a href="mailto:esr@thyrsus.com" class="gmail_msg" target="_blank">esr@thyrsus.com</a>> wrote:<br type="attribution" class="gmail_msg"></div></div><div class="gmail_extra gmail_msg"><div class="gmail_quote gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mark Atwood <<a href="mailto:fallenpegasus@gmail.com" class="gmail_msg" target="_blank">fallenpegasus@gmail.com</a>>:<br class="gmail_msg">
> We do need to get wacking on the weeds on removing more of this thicket.<br class="gmail_msg">
<br class="gmail_msg">
Here are our constraints:<br class="gmail_msg">
<br class="gmail_msg">
* Daniel has stated that he prefers the OpenSSL implementations of MD5 and<br class="gmail_msg">
SHA-1. He's our crypto expert, so he gets to make that call and I would<br class="gmail_msg">
have no grounds to even argue with it.<br class="gmail_msg">
<br class="gmail_msg">
* We have beem warned that these might be removed from OpenSSL in the<br class="gmail_msg">
unspecified future.<br class="gmail_msg">
<br class="gmail_msg">
* libsodium does not carry MD5 and SHA-1, and won't for the same reason<br class="gmail_msg">
that they might be removed<br class="gmail_msg">
<br class="gmail_msg">
Therefore, here are our options:<br class="gmail_msg">
<br class="gmail_msg">
1. Make OpenSSL a required library and remove the local MD5/SHA-1. Daniel gets<br class="gmail_msg">
his optimizations, I get to remove code, and all is happy unless the axe<br class="gmail_msg">
falls and MD5/SHA-1 are removed from OpenSSL.<br class="gmail_msg">
<br class="gmail_msg">
2. Do nothing. OpenSSL remains optional and we're covered against OpenSSL<br class="gmail_msg">
yanking those festures.<br class="gmail_msg">
--<br class="gmail_msg">
<a href="<a href="http://www.catb.org/~esr/" rel="noreferrer" class="gmail_msg" target="_blank">http://www.catb.org/~esr/</a>">Eric S. Raymond</a><br class="gmail_msg"></blockquote></div></div><div class="gmail_extra gmail_msg"><div class="gmail_quote gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
_______________________________________________<br class="gmail_msg">
devel mailing list<br class="gmail_msg">
<a href="mailto:devel@ntpsec.org" class="gmail_msg" target="_blank">devel@ntpsec.org</a><br class="gmail_msg">
<a href="http://lists.ntpsec.org/mailman/listinfo/devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.ntpsec.org/mailman/listinfo/devel</a><br class="gmail_msg">
</blockquote></div></div></blockquote></div>