[PATCH] use all available openssl algorithms

Jouni Malinen j
Thu Jan 7 01:08:13 PST 2010


On Wed, Jan 06, 2010 at 08:04:10PM -0800, Dan Williams wrote:
> See:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=541924
> https://bugzilla.redhat.com/show_bug.cgi?id=538851
> 
> ---
> Though maybe the EVP_add_digest() bits affect this and you'd rather
> specify the algorithms exactly?

Yes, I would certainly prefer more explicit configuration of algorithms,
i.e., only enable what it really needed. Whatever is needed for SSL
should already be there, but reading some odd PKCS#12 files may require
additional algorithms. Using OpenSSL_add_all_algorithms() will increase
the binary size unnecessarily when linking statically and it may enable
ciphers or hash algorithms that really should not be enabled in a secure
application or at least not done without fully understanding what this
changes. It is a global configuration that can change behavior not only
for reading local keys, but also for the TLS handshake.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list