Hi Richard,
Thanks for your quick response to my issue. My motivation for disabling
HMAC along with many other ciphers is in response to product requirements
which specify that only non-patented (or expired patent) and exportable
(from the US) encryption software be included. Since I'm kind of a newbie
to SSL and thinking that all I need is RSA, MD5 and RC4 I eliminated all
the rest as in:
no-idea no-bf no-cast no-dsa no-dh no-hmac no-md2 no-mdc2 no-rc2 no-rc5
Further reading has shown me that HMAC probably needs to be included, as
you mentioned.
BTW, there is a similar problem at line 62 of test/md2test.c where there is
an include openssl/md2.h which is not ifdef'ed out when no-md2 is
desired. This also causes the build to break. Is MD2 another one of those
ciphers that noone disables? Assuming that I want to exclude all
encryption which is either patented or not freely exportable worldwide,
which ones would you recommend to disable? I'm pretty sure that idea
needs to be disabled. Also I'm pretty sure that 3DES can't be used but I'm
not sure how to be certain it is disabled.
I appreciate any advice that you can offer.
Regards,
/bob
At 01:38 AM 2/19/2004, you wrote:
In message [EMAIL PROTECTED] on Thu, 19 Feb 2004
08:35:59 +0100 (MET), Bob Fishman via RT [EMAIL PROTECTED] said:
rt
rt Greetings,
rt
rt System and version:
rt
rt OpenSSL 0.9.7c
rt
rt
rt
rt Type:
rt Building, Configuration Error
rt
rt
rt Description:
rt When doing a make of OpenSSL with HMAC configured off (no-hmac) the
code in
rt ssl/t1_enc.c appears to incorrectly include openssl/hmac.h. This causes
rt the make to abort.
rt
rt To duplicate this problem do:
rt
rt ./config no-idea no-bf no-cast no-hmac no-threads -fPIC
rt make depend
rt make
rt
rt
rt Suggested fix:
rt
rt At line 116 the line:
rt
rt #include openssl/hmac.h
rt
rt should be wrapped in an ifndef OPENSSL_NO_HMAC
rt
rt like this:
rt
rt #ifndef OPENSSL_NO_HMAC
rt #include openssl/hmac.h
rt #endif
That won't fix the problem, really. If you look at the TLS RFC, it's
*highly* dependent on HMAC. You might as well disable TLS (no-tls1)
while you're at it.
Out of curiosity, why do you want to disable HMAC?
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED]
[EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]