Kerberos 1.9, can it be compiled to use OpenSSL .9.8 (FIPS140-2)?
Robert
fuzzyhypothesis at yahoo.com
Tue Jan 11 16:30:59 EST 2011
Tom,
That would be great (the patch that is). Thank you.
I have a feeling I will not be the only one asking about this as other folks
start looking to bump up from 1.8.x.
Especially since it doesn't look like OSF will get OpenSSL 1.0 FIPS approved any
time soon.
FH
> Problem is I want to use the FIPS-140-2 certified version of
> OpenSSL, which is currently at .9.8. Is there a different option to
> set this up that I am missing? Or is 1.9 only going to use OpenSSL
> 1.0 and up?
It's a known issue due to the use of the CTS mode API that is only
present in OpenSSL >=1.0:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6747&user=guest&pass=guest
It should be possible to implement CTS mode on top of the CBC mode of
OpenSSL 0.9.8. We would be happy to consider a patch. There may be
other dependencies on OpenSSL >=1.0 but that is the main one that I am
aware of.
More information about the Kerberos
mailing list