Hi. I'm on the BIND 9 development team, and we're hoping to use OpenSSL
to perform the cryptography necessary for DNSSEC. The OpenSSL code is
portable and fast, which is exactly what we're looking for. There are a
few problems, though, and I'm not sure how much work is required to get
around them, and whether these changes would be desired for the main
distribution.
- US Export control issues. We only need DSA, SHA1, MD5, and randomness
(and possibly RSA when the patent expires). Since BIND must be
exportable, it would be nice to be able to strip out the code for unneeded
algorithms before running config, so that we can distribute a subset in the
BIND distribution.
- Cipher disables. Many of the ciphers can be disabled by config
options. Some of these don't work (no-hmac dies with an #error,
no-ripemd has no effect).
- Other disables. Options such as no-asn1, no-pkcs7, no-pkcs12, no-x509
would be useful, as these would significantly shrink the size of libcrypto.a
as well as the source. Disabling SSL would be nice also, but isn't as
important, since it's not linked into libcrypto.
I'd be willing to contribute patches for the disable options (not written
yet, but they shouldn't be too hard). As for the config stuff, I could
probably do that too, but it might make more sense if someone familiar
with the scripts could look at it.
Thanks,
Brian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
