[LEDE-DEV] [PATCH] openssl: Remove RIPEMD-160 from OpenSSL

[Philip Prindeville]

> On Mar 28, 2017, at 12:09 AM, Alexandru Ardelean <ardeleanalex at gmail.com> wrote:
> 
> On Tue, Mar 28, 2017 at 1:45 AM, txt.file <txt.file at txtfile.eu> wrote:
>> The topic and patch is about OpenSSL but description is about OpenSSH.
>> What has OpenSSL to do with OpenSSH?
>> 
>> kind regards
>> txt.file
>> --
>> This message is signed.
>> 
>> Rosen Penev:
>>> The commit that removed no-ripemd stated that it was needed for openssh.
>>> However with recent OpenSSH releases (7.4), RIPEMD-160 is run-time disabled.
>>> I've verified this with ssh -vvv making no mention of RIPEMD-160 anywhere.
>>> ---
>>> package/libs/openssl/Makefile | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>> 
>>> diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
>>> index 2543a46..a2d3ce3 100644
>>> --- a/package/libs/openssl/Makefile
>>> +++ b/package/libs/openssl/Makefile
>>> @@ -100,7 +100,7 @@ endef
>>> 
>>> 
>>> OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
>>> - no-whrlpool no-whirlpool no-seed no-jpake
>>> + no-whrlpool no-whirlpool no-seed no-jpake no-ripemd
>>> OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
>>> 
>>> ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
>>> 
>> 
>> 
>> _______________________________________________
>> Lede-dev mailing list
>> Lede-dev at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/lede-dev
>> 
> 
> as far as things go, openssh is part of the package feeds here:
> https://github.com/openwrt/packages/tree/master/net/openssh
> 
> while openssl is part of the core packages
> removing this cipher if unused, makes sense also to reduce openssl size
> 
> my 2c :)
> 
> thanks
> Alex


What happens if someone has a private package feed and they’re still using it?

I think we should remove ciphers when they’re proven weak or otherwise vulnerable, like AES128-CBC… not when we’re unaware of anyone using it.

-Philip