"There isn't an option to do that currently." I agree that there is not a functioning option to do this, but the README and configure help all indicate that "no-CIPHER" is a legal option. And config will change the header files for each cipher that is disabled, but it does not update the makefiles throughout the tree to exclude making the ciphers, which is the first set of errors that I found.
Yes, there are interdependencies for the ciphers that may invalidate this attempt. The link between des & des3 is obvious and possibly unbreakable. I've also found des required by mdc2 and pem, plus all the ciphers are required by evp. Whether these are "required" or just included because these ciphers are "always included" is something I don't know. The variety of source tree changes that will be required before the LOW and MEDIUM ciphers can be completely removed will require time that I don't have right now. So my fall back plan will be to do my best to prevent these ciphers from existing on the systems in the runtime environment (and especially the PCI audit environment). Please let me know if my desired build enhancement is ever included in a future release, or if you would like an additional tester for such a change before its added to the distribution release. Thanks for your feedback! Roch Skelton Security Administrator, HMS Host ... You are in a maze of twisty little passages, all alike! Xyzzy won't help you now!! -----Original Message----- From: Stephen Henson via RT [mailto:r...@openssl.org] Sent: Thursday, May 20, 2010 2:14 PM To: Skelton, Roch Cc: openssl-dev@openssl.org Subject: [openssl.org #2271] bug report / enhancement request > [roch.skel...@hmshost.com - Thu May 20 09:34:25 2010]: > > To ensure compliance with high security environments, I would like to > build my copy of openssl without support for the LOW and MEDIUM > ciphers. > After reviewing the various cipher and config options, I decided to > use > the following configuration: > > > > ./config zlib shared no-RC2 no-RC4 no-SEED no-IDEA no-DES > > > > This command line was acceptable to configure, but unfortunately the > actual build process fails. Disabling any cipher results in a fatal > error to the build when completing the make in ./crypto/(cipher). > > > > It appears to be a "bug" that the options to config are not correctly > implemented to produce clean builds. It may also be that I am trying a > configuration that was never expected, yet I believe is a reasonable > choice. In that case this is perhaps an enhancement request - which > could be implemented in a later version, and hopefully with a better > UI, > like "no-LOW no-MEDIUM". Certainly the DES choice should require very > careful enhancements to the source, such that "des" would be disabled > yet "des3" would still be supported. I do not have an answer for this > mess at this time. If there is a solution in the configure or make > steps > of which I am not aware, please feel free to send me the information > and > I will test it. > There isn't an option to do that currently. If you just want this to work with SSL/TLS then an appropriate cipher string would work. The "FIPS" string is one possibility. You may hit some problems if you disable things like RC2. For example PKCS#12 files still commonly encrypt certificates using 40 bit RC2. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _________________________ This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org