Print

Print

The problem is at by default openssl 3 does not enable the "legacy provider" that would allow certain algorithms to be used. This includes the blowfish cipher used by sss. There is the possibility of enabling it system widel: I've tested that by applying the setting on centos9s, it allows a machine acting as a client to interact with a centos7 server. The setting should also allow a server to run on centos9s. The change is:

In /etc/ssl/openssl.cnf ensure these lines are uncommented:

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

The above lines exist in the default conf file, but some are commented out.

The configuration file approach may not be suitable for all situations, particularly when users are the ones running the client on machines where we can't reasonably expect the system wide configuration to be changed. I'll prepare a PR to programatically enable the legacy provider in XrdCryptoLite_bf32.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1725/1189063331@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1725#issuecomment-1189063331", "url": "https://github.com/xrootd/xrootd/issues/1725#issuecomment-1189063331", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1