Kerberos 1.9, can it be compiled to use OpenSSL .9.8 (FIPS140-2)?
Tom Yu
tlyu at MIT.EDU
Tue Jan 11 16:09:09 EST 2011
Robert <fuzzyhypothesis at yahoo.com> writes:
> Problem is I want to use the FIPS-140-2 certified version of
> OpenSSL, which is currently at .9.8. Is there a different option to
> set this up that I am missing? Or is 1.9 only going to use OpenSSL
> 1.0 and up?
It's a known issue due to the use of the CTS mode API that is only
present in OpenSSL >=1.0:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6747&user=guest&pass=guest
It should be possible to implement CTS mode on top of the CBC mode of
OpenSSL 0.9.8. We would be happy to consider a patch. There may be
other dependencies on OpenSSL >=1.0 but that is the main one that I am
aware of.
More information about the Kerberos
mailing list