Print

Print

Is this really necessary if we link to OpenSSL 1.1 on CentOS 7?

No -- but replacing all clients is not an option. For example, we cannot ask experiments to stop using the Run 2 / 3 releases and replace them.

I say this because I have no idea what the security implications are by making this compatible with OpenSSL 1.0.1 which is known to be not very secure

You can read through the OpenSSL ticket for why they made the change. The existing DH code we use leaks a single bit of the session key.

Mind you, the existing DH code we use also leaks all bits of the session key because 512 bit DH was broken in the 1990's.

That way it's easy to get back to a state where fixed DH parameters need not be used

Why? Fixed DH parameters are done everywhere, on almost every webserver on the planet and IPSec. I don't understand the emphasis on dynamically generating the DH parameters when there's no strong cryptographic motivation or risk reduction.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/pull/2026/c1578910456@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/2026#issuecomment-1578910456", "url": "https://github.com/xrootd/xrootd/pull/2026#issuecomment-1578910456", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1