On 31/08/17 14:52, Hubert Kario wrote: > On Thursday, 31 August 2017 11:13:13 CEST Richard Levitte wrote: >> In message >> <CALq8RvJrMZ=zmymQ1Z1HiHDDWwdCWMKjZL5whjGrET=jw5a...@mail.gmail.com> on >> Thu, 31 Aug 2017 11:25:16 +0530, Jayalakshmi bhat >> <bhat.jayalaks...@gmail.com> said: >> >> bhat.jayalakshmi> Hi All, >> bhat.jayalakshmi> >> bhat.jayalakshmi> I am trying to build openssl. As part of that I want >> bhat.jayalakshmi> to remove some ciphers like md4, rc5 etc. >> bhat.jayalakshmi> >> bhat.jayalakshmi> I tried ./config no-md5, no-rc5 and ./Configure >> bhat.jayalakshmi> no-md5, no-rc5. In both the case MD4 and RC5 >> bhat.jayalakshmi> directories are still getting compiled. >> bhat.jayalakshmi> >> bhat.jayalakshmi> Please can you let me know what could be going wrong. >> >> Your configuration line says 'no-md5', which is an attempt to remove >> MD5, not MD4. Your config line should be this: >> >> ./config no-md4 no-rc5 >> >> It's possible, though, that you really meant to remove MD5... >> unfortunately, it's such an integral part of most SSL/TLS protocol >> versions that we cannot for the moment allow it to be disabled. >> That's the issue you're hitting. > > It's not integral part of TLS 1.2 though so allowing for disabling of MD5 > when > SSL, TLS1.0 and TLS 1.1 are disabled isn't unreasonable. > > At the same time, the problem of data-at-rest remains, because while > disabling > it for TLS is a good idea, disabling it for decryption of PKCS#12 or PKCS#8 > (private keys), CMS or S/MIME at the same time could create issues that > manifest only quite a bit later. >
Note (as an aside) that no-md5 was removed as an option from OpenSSL 1.1.0 (and master). Matt
signature.asc
Description: OpenPGP digital signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev