Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
@abh3 commented on this pull request.
OK, I added my 2 cents. I see the problem and am asking a) can we come up with a better solution than downgrading everything, and b) if we can't the original code needs to be kept in comment form so that anyone looking at it can see what was done without resorting to git history to make it painfully apparent.
In src/XrdCrypto/XrdCryptosslCipher.cc:
> @@ -507,12 +522,10 @@ XrdCryptosslCipher::XrdCryptosslCipher(bool padded, int bits, char *pub,
static EVP_PKEY *dhparms = [] {
DEBUG("generate DH parameters");
EVP_PKEY *dhParam = 0;
- EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
OK, we really should at the very least comment the code out not delete it. That way it's easy to get back to a state where fixed DH parameters need not be used. I say this because I have no idea what the security implications are by making this compatible with OpenSSL 1.0.1 which is known to be not very secure. I know there are still clients out there still use 1.0.1 which is quickly becoming not the case and people are forced to upgrade to 1..1.1 by their security teams. I wish we could somehow make this dependent on the client version and not just doit for everyone. Not clear that is possible but at least we should make it explicit what has changed without needing to go into git history.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1