On Tue, Mar 24, 2020 at 4:49 PM Daniel Stenberg via curl-library <curl-library@cool.haxx.se> wrote: > > Hi friends! > > The current git master of OpenSSL gives us some clues of what's going to > happen when OpenSSL version 3 ships, planned for Q3 2020 I believe. I make a > curl build against that every once in a while to see if anything falls over. > > This time several things did, while two if the issues were easily worked > around there's a third one that might need some thoughts: > > 1. SSL_CTX_load_verify_locations() is deprecated, but the replacement > functions seem easy to use instead. > > 2. The MD4 functions are deprecated, but since we have private MD4 code > already it is easy to switch to using that instead. > > Now for the one that gives me problems: > > 3. The DES functions are deprecated. Meaning they're marked as such in the > public headers and they will cause compiler warnings when used and if we > build curl with -Werror we get build errors. > > I presume the DES functions are going away because DES is a notoriously week > and crappy cipher. curl uses DES for the NTLM implementation, and while it is > a very icky authentication protocol and complicated to get right in the code, > I get the feeling there are still quite a few curl users using NTLM.
Is it only DES_ECB that's gone? If DES_CBC is still available, it may be possible to use it with a zeroed IV, similar to: https://github.com/samba-team/samba/commit/0f855f1ab955e3ecf47689c5e4578eb67ebe8f27 > So what do we do? I can think of at least 4 different ways to go with this, > each choice with its own set of baggage to carry: > > A) Live with (and work around) the compiler warnings as long as we can link > fine. (We don't know for how long that'll work.) > > B) Disable NTLM when OpenSSL version 3 or later is used > > C) Import DES code (as we have done for MD4 and MD5) and build with that code > when OpenSSLv3 is used. > > D) Use another 3rd party DES lib (which?) when OpenSSLv3 is used. > > E) Other: ________ > > I think I personally am in the C or D camp for the moment. > > Thoughts? > > -- > > / daniel.haxx.se | Commercial curl support up to 24x7 is available! > | Private help, bug fixes, support, ports, new features > | https://www.wolfssl.com/contact/ > ------------------------------------------------------------------- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
