Kerberos 1.9, can it be compiled to use OpenSSL .9.8 (FIPS140-2)?

Robert fuzzyhypothesis at
Tue Jan 11 16:30:59 EST 2011


That would be great (the patch that is).  Thank you.

I have a feeling I will not be the only one asking about this as other folks 
start looking to bump up from 1.8.x.  

Especially since it doesn't look like OSF will get OpenSSL 1.0 FIPS approved any 
time soon.


> Problem is I want to use the FIPS-140-2 certified version of
> OpenSSL, which is currently at .9.8.  Is there a different option to
> set this up that I am missing?  Or is 1.9 only going to use OpenSSL
> 1.0 and up?

It's a known issue due to the use of the CTS mode API that is only
present in OpenSSL >=1.0:

It should be possible to implement CTS mode on top of the CBC mode of
OpenSSL 0.9.8.  We would be happy to consider a patch.  There may be
other dependencies on OpenSSL >=1.0 but that is the main one that I am
aware of.


More information about the Kerberos mailing list