On Tuesday, March 24, 2020 4:43:00 PM CET Daniel Stenberg via curl-library wrote: > Hi friends! > > The current git master of OpenSSL gives us some clues of what's going to > happen when OpenSSL version 3 ships, planned for Q3 2020 I believe. I make a > curl build against that every once in a while to see if anything falls > over. > > This time several things did, while two if the issues were easily worked > around there's a third one that might need some thoughts: > > 1. SSL_CTX_load_verify_locations() is deprecated, but the replacement > functions seem easy to use instead. > > 2. The MD4 functions are deprecated, but since we have private MD4 code > already it is easy to switch to using that instead. > > Now for the one that gives me problems: > > 3. The DES functions are deprecated. Meaning they're marked as such in the > public headers and they will cause compiler warnings when used and if we > build curl with -Werror we get build errors. > > I presume the DES functions are going away because DES is a notoriously week > and crappy cipher. curl uses DES for the NTLM implementation, and while it > is a very icky authentication protocol and complicated to get right in the > code, I get the feeling there are still quite a few curl users using NTLM. > > So what do we do? I can think of at least 4 different ways to go with this, > each choice with its own set of baggage to carry: > > A) Live with (and work around) the compiler warnings as long as we can link > fine. (We don't know for how long that'll work.) > > B) Disable NTLM when OpenSSL version 3 or later is used > > C) Import DES code (as we have done for MD4 and MD5) and build with that > code when OpenSSLv3 is used. > > D) Use another 3rd party DES lib (which?) when OpenSSLv3 is used. > > E) Other: ________ > > I think I personally am in the C or D camp for the moment. > > Thoughts?
Option C is going to cause a disaster while importing such code to enterprise OS distributions because of export control and FIPS-like certifications. Let me first ask internally what a preferred choice for Red Hat would be... Kamil ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
