First poster:
> We are currently analyzing and understanding the security strength of
> the openSSL internal implementation to certify the products.
> In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer
> the following or provide me with the documentation reference
>
> 1. Does openSSL library use MD5 internally for any operation?
>
> 2. Can we have SHA256 in the ciphersuite with TLSv1.0?
Well-known respondent:
> You're not qualified to perform this analysis.
Second respondent:
> OpenSSL is not open to such analysis if a documentation reference cannot be
> given.
Me:
Actually, the first poster did not describe what kind of certification is being
done, and therefore we have no idea whether or not such documentation is
required. We do have one proof point, the FIPS certification, that shows this
documentation is not required. On the basis of that, and the fact that this is
free open source software, it is not unreasonable for experienced folks to say
"we gave you the source, everything else is up to you."
Taken by themselves, the questions are too vague to really answer. Is using
MD5 as part of the connection setup "internally"? I would interpret question 1
to mean things like power-on selftest, etc, but it's not clear. As for the
second question, I can't even understand it: do they want to know if SHA256 is
in the protocol, the OpenSSL library, the OpenSSL implementation of the
protocol, enabled or disabled by default, or what?
My guess is that English is not the native language, and I would have been more
lenient with the first poster, but based on what was written, the first
respondent seems accurate to me.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
