>> Ever hear the political adage, "If you're explaining yourself, you're >> losing"?. The same adage applies when talking to security people, >> especially the non-technical ones. The common gss-keyex code out there >> calls the OpenSSL MD5 function at runtime, and some of the distributions >> that do ship the gss-keyex code (RedHat) decided to simply disable >> gss-keyex code when FIPS is turned on. So yes, you CAN hardcode the >> OID->name mappings, but it seems that nobody actually does that. > >We accept PRs.
I am SO many levels down from the people that manage the licenses that figuring out how to file a PR upwards through the various levels of the DoD would probably take me a few days (I don't have to convince RedHat there's a problem, I have to convince those gatekeepers that there's a problem first, that's where things go sideways). And those people are the kind of people that as soon as the hear "MD5" and "FIPS mode" in the same sentence, they're going to say, "THAT'S NOT ALLOWED". --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos