Hi friends!
The current git master of OpenSSL gives us some clues of what's going to
happen when OpenSSL version 3 ships, planned for Q3 2020 I believe. I make a
curl build against that every once in a while to see if anything falls over.
This time several things did, while two if the issues were easily worked
around there's a third one that might need some thoughts:
1. SSL_CTX_load_verify_locations() is deprecated, but the replacement
functions seem easy to use instead.
2. The MD4 functions are deprecated, but since we have private MD4 code
already it is easy to switch to using that instead.
Now for the one that gives me problems:
3. The DES functions are deprecated. Meaning they're marked as such in the
public headers and they will cause compiler warnings when used and if we
build curl with -Werror we get build errors.
I presume the DES functions are going away because DES is a notoriously week
and crappy cipher. curl uses DES for the NTLM implementation, and while it is
a very icky authentication protocol and complicated to get right in the code,
I get the feeling there are still quite a few curl users using NTLM.
So what do we do? I can think of at least 4 different ways to go with this,
each choice with its own set of baggage to carry:
A) Live with (and work around) the compiler warnings as long as we can link
fine. (We don't know for how long that'll work.)
B) Disable NTLM when OpenSSL version 3 or later is used
C) Import DES code (as we have done for MD4 and MD5) and build with that code
when OpenSSLv3 is used.
D) Use another 3rd party DES lib (which?) when OpenSSLv3 is used.
E) Other: ________
I think I personally am in the C or D camp for the moment.
Thoughts?
--
/ daniel.haxx.se | Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
