RC5 and MDC2 have been disabled by default in OpenSSL for some time now: https://github.com/joyent/node/blob/v0.10.40-release/deps/openssl/openssl/CHANGES#L2856
You can verify what algorithms are enabled in a Node.js build by running the following: > node.exe > console.log(crypto.getCiphers()) [ 'CAST-cbc', 'aes-128-cbc', 'aes-128-cbc-hmac-sha1', 'aes-128-cfb', 'aes-128-cfb1', 'aes-128-cfb8', 'aes-128-ctr', 'aes-128-ecb', 'aes-128-gcm', 'aes-128-ofb', 'aes-128-xts', 'aes-192-cbc', 'aes-192-cfb', 'aes-192-cfb1', 'aes-192-cfb8', 'aes-192-ctr', 'aes-192-ecb', 'aes-192-gcm', 'aes-192-ofb', 'aes-256-cbc', 'aes-256-cbc-hmac-sha1', 'aes-256-cfb', 'aes-256-cfb1', 'aes-256-cfb8', 'aes-256-ctr', 'aes-256-ecb', 'aes-256-gcm', 'aes-256-ofb', 'aes-256-xts', 'aes128', 'aes192', 'aes256', 'bf', 'bf-cbc', 'bf-cfb', 'bf-ecb', 'bf-ofb', 'blowfish', 'camellia-128-cbc', 'camellia-128-cfb', 'camellia-128-cfb1', 'camellia-128-cfb8', 'camellia-128-ecb', 'camellia-128-ofb', 'camellia-192-cbc', 'camellia-192-cfb', 'camellia-192-cfb1', 'camellia-192-cfb8', 'camellia-192-ecb', 'camellia-192-ofb', 'camellia-256-cbc', 'camellia-256-cfb', 'camellia-256-cfb1', 'camellia-256-cfb8', 'camellia-256-ecb', 'camellia-256-ofb', 'camellia128', 'camellia192', 'camellia256', 'cast', 'cast-cbc', 'cast5-cbc', 'cast5-cfb', 'cast5-ecb', 'cast5-ofb', 'des', 'des-cbc', 'des-cfb', 'des-cfb1', 'des-cfb8', 'des-ecb', 'des-ede', 'des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb', 'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-cfb1', 'des-ede3-cfb8', 'des-ede3-ofb', 'des-ofb', 'des3', 'desx', 'desx-cbc', 'id-aes128-GCM', 'id-aes192-GCM', 'id-aes256-GCM', 'idea', 'idea-cbc', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'rc2', 'rc2-40-cbc', 'rc2-64-cbc', 'rc2-cbc', 'rc2-cfb', 'rc2-ecb', 'rc2-ofb', 'rc4', 'rc4-40', 'rc4-hmac-md5', 'seed', 'seed-cbc', 'seed-cfb', 'seed-ecb', 'seed-ofb' ] undefined > On Tuesday, 21 July 2015 21:24:40 UTC+1, Steve Thomas wrote: > > Hi, > > I'm writing to ask about OpenSSL as a dependency of Node.js and > specifically RC5 encryption. We were asked today by one of our lawyers if > RC5 is included in the NodeJS distribution for Windows. He understood that > Node included OpenSSL and was concerned that it might also be distributing > the RC5 algorithm and other patent-protected algorithms. The OpenSSL FAQ > page <https://www.openssl.org/support/faq.html>, for example, mentions > these algorithms in passing: > > *Do I need patent licenses to use OpenSSL?* > > For information on intellectual property rights, please consult a lawyer. > The OpenSSL team does not offer legal advice. > > You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using > > ./config no-idea no-mdc2 no-rc5 > > > Also, while I'm not very familiar with the guts of NodeJS and don't > traffic at that level, if I search the GitHub repo, RC5 turns up a few > times, e.g. in this file > <https://github.com/joyent/node/blob/master/deps/openssl/openssl.gyp>, > which appears as though it is linked in for Windows. > > An issue was raised a while back > <https://github.com/joyent/node/pull/2182> that mentioned this as a > concern in the context of FreeBSD and proposed removing or disabling RC5 as > well as some other algorithms, but this doesn't appear to have been merged. > > Anyway, that's all I've been able to find. I'm not looking for legal > advice, but rather information on whether RC5 (and perhaps IDEA and MDC2 as > well) are (1) distributed and (2) enabled (by default or not) in the NodeJS > distribution for Windows. If so, how could we prevent their use in the > code, disable them, or remove them from the distribution. If not, and you > can provide a reference that I can pass on, I would be very grateful. > > Thanks in advance, > > Steve > ... > Steve Thomas > Pittsburgh, PA > -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/89c2757d-048e-4f9b-8c9b-68e9febcac96%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
