Kerberos 1.9, can it be compiled to use OpenSSL .9.8 (FIPS140-2)?

Tom Yu tlyu at MIT.EDU
Tue Jan 11 16:09:09 EST 2011


Robert <fuzzyhypothesis at yahoo.com> writes:

> Problem is I want to use the FIPS-140-2 certified version of
> OpenSSL, which is currently at .9.8.  Is there a different option to
> set this up that I am missing?  Or is 1.9 only going to use OpenSSL
> 1.0 and up?

It's a known issue due to the use of the CTS mode API that is only
present in OpenSSL >=1.0:

  http://krbdev.mit.edu/rt/Ticket/Display.html?id=6747&user=guest&pass=guest

It should be possible to implement CTS mode on top of the CBC mode of
OpenSSL 0.9.8.  We would be happy to consider a patch.  There may be
other dependencies on OpenSSL >=1.0 but that is the main one that I am
aware of.



More information about the Kerberos mailing list