Re: openssl and curves

2015-02-21 Thread Nico Kadel-Garcia
On Sat, Feb 21, 2015 at 11:02 PM, Andrew Z  wrote:
> i hope someone had a chance to create an rpm for opessl that has all curves
> and doesn't mind to share the srpm.

You just conjured an amazing image involving, well, "all curves".

> Or maybe help me out by explaining what i need to enable in the config of
> the openssl to get them (curves) included. Currently i use this :
>
> + ./Configure --prefix=/usr --openssldir=/etc/pki/tls
> --system-ciphers-file=/etc/crypto-policies/back-ends/openssl.config zlib
> enable
> -camellia enable-seed enable-tlsext enable-rfc3779 enable-cms enable-md2
> no-mdc2 no-rc5 no-gost no-srp --with-krb5-flavor=MIT --engin
> esdir=/usr/lib64/openssl/engines --with-krb5-dir=/usr shared linux-x86_64
> fips
> Configuring for linux-x86_64
> no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip
> dir)
> no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
> no-gost [option]   OPENSSL_NO_GOST (skip dir)
> no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir)
> no-mdc2 [option]   OPENSSL_NO_MDC2 (skip dir)
> no-rc5  [option]   OPENSSL_NO_RC5 (skip dir)
> no-rsax [forced]   OPENSSL_NO_RSAX (skip dir)
> no-sctp [default]  OPENSSL_NO_SCTP (skip dir)
> no-srp  [option]   OPENSSL_NO_SRP (skip dir)
> no-store[experimental] OPENSSL_NO_STORE (skip dir)
> no-unit-test[default]  OPENSSL_NO_UNIT_TEST (skip dir)
> no-zlib-dynamic [default]
> IsMK1MF=0
> CC=gcc
>
>
> crypto is completely out of my league and i'm 99.9% sure i do _not_ know
> what i'm talking about ...

And this looks like a really, really bad idea. Not in the sense of
enabling all the curves you want, but in the sense of breaking every
SSL based system tools that might generally be willing to use other
types of cryptography. This will mean that your SSL based *clients*
will not be able to interoperate with public applications and sites
that use non-curve crypography.  Why would you want this?


openssl and curves

2015-02-21 Thread Andrew Z
i hope someone had a chance to create an rpm for opessl that has all curves
and doesn't mind to share the srpm.

Or maybe help me out by explaining what i need to enable in the config of
the openssl to get them (curves) included. Currently i use this :

+ ./Configure --prefix=/usr --openssldir=/etc/pki/tls
--system-ciphers-file=/etc/crypto-policies/back-ends/openssl.config zlib
enable
-camellia enable-seed enable-tlsext enable-rfc3779 enable-cms enable-md2
no-mdc2 no-rc5 no-gost no-srp --with-krb5-flavor=MIT --engin
esdir=/usr/lib64/openssl/engines --with-krb5-dir=/usr shared linux-x86_64
fips
Configuring for linux-x86_64
no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip
dir)
no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
no-gost [option]   OPENSSL_NO_GOST (skip dir)
no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir)
no-mdc2 [option]   OPENSSL_NO_MDC2 (skip dir)
no-rc5  [option]   OPENSSL_NO_RC5 (skip dir)
no-rsax [forced]   OPENSSL_NO_RSAX (skip dir)
no-sctp [default]  OPENSSL_NO_SCTP (skip dir)
no-srp  [option]   OPENSSL_NO_SRP (skip dir)
no-store[experimental] OPENSSL_NO_STORE (skip dir)
no-unit-test[default]  OPENSSL_NO_UNIT_TEST (skip dir)
no-zlib-dynamic [default]
IsMK1MF=0
CC=gcc


crypto is completely out of my league and i'm 99.9% sure i do _not_ know
what i'm talking about ...