On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote: > In message > <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=jw5a...@mail.gmail.com> on > Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat > <bhat.jayalaks...@gmail.com> said: > > bhat.jayalakshmi> Hi All, > bhat.jayalakshmi> > bhat.jayalakshmi> I am trying to build openssl. As part of that I want > bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc. > bhat.jayalakshmi> > bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure > bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5 > bhat.jayalakshmi> directories are still getting compiled. > bhat.jayalakshmi> > bhat.jayalakshmi> Please can you let me know what could be going wrong. > > Your configuration line says 'no-md5', which is an attempt to remove > MD5, not MD4. Your config line should be this: > > ./config no-md4 no-rc5 > > It's possible, though, that you really meant to remove MD5... > unfortunately, it's such an integral part of most SSL/TLS protocol > versions that we cannot for the moment allow it to be disabled. > That's the issue you're hitting.
It's not integral part of TLS 1.2 though so allowing for disabling of MD5 when SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable. At the same time, the problem of data-at-rest remains, because while disabling it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8 (private keys), CMS or S/MIME at the same time could create issues that manifest only quite a bit later. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev