[PATCH] use all available openssl algorithms

Dan Williams dcbw
Thu Jan 7 08:02:07 PST 2010


On Thu, 2010-01-07 at 11:08 +0200, Jouni Malinen wrote:
> On Wed, Jan 06, 2010 at 08:04:10PM -0800, Dan Williams wrote:
> > See:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=541924
> > https://bugzilla.redhat.com/show_bug.cgi?id=538851
> > 
> > ---
> > Though maybe the EVP_add_digest() bits affect this and you'd rather
> > specify the algorithms exactly?
> 
> Yes, I would certainly prefer more explicit configuration of algorithms,
> i.e., only enable what it really needed. Whatever is needed for SSL
> should already be there, but reading some odd PKCS#12 files may require
> additional algorithms. Using OpenSSL_add_all_algorithms() will increase
> the binary size unnecessarily when linking statically and it may enable
> ciphers or hash algorithms that really should not be enabled in a secure
> application or at least not done without fully understanding what this
> changes. It is a global configuration that can change behavior not only
> for reading local keys, but also for the TLS handshake.

So in the bug report, the reporter says:

openssl pkcs12 -in CertificatoASI.p12 -info -noout

gives me:

Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Does that mean we need both RC2-40-CBC and 3DES-CBC enabled?  Or should
this guy just re-encrypt his key?

Dan





More information about the Hostap mailing list