Re: [radsecproxy] OpenSSL 1.1
23 Sep
2016
23 Sep
'16
3:18 p.m.
Linus Nordberg <linus(a)nordu.net> writes:
Toke Høiland-Jørgensen <toke(a)toke.dk> wrote
Mon, 05 Sep 2016 22:32:03 +0200:
Well, it compiles on openwrt at least (or rather, the master branch
does). However, pulling in two crypto libraries on an embedded platform
is not ideal. Would it be feasible to drop openssl entirely in favour of
libnettle? Or maybe something like mbedtls (formerly polarssl;
https://tls.mbed.org/)?
Don't have a setup that'll let me test running right now... Will see if
I can get one setup...
-Toke
Linus Nordberg <linus(a)nordu.net> writes:
The least painful way of supporting 1.0.2 that I've found is to stop
using libcrypto (from OpenSSL) for MD5 and HMAC(MD5).
The openssl11 branch [1] now uses libnettle instead. Please give it a
try with 1.0.2 and let me know if things still work well for you. Don't
forget to try to authenticate some users and please test both succesful
and failing authentication attempts. There's a chance for actual
breakage here.
[1]
https://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/openssl11 Hi,
Thanks to Faidon, we've got an issue [1] tracking the work of getting
radsecproxy to work with OpenSSL 1.1.
[1] https://project.nordu.net/browse/RADSECPROXY-66>
The questions now are 1) does the proposed patch work for you and 2) how
little backwards compatibility can we get away with?
If you're a radsecproxy user, what version(s) of OpenSSL do you really
need support for?
I'm maintaining a radsecproxy package for OpenWRT/LEDE which runs
openssl 1.0.2h. Keeping compatibility with that would be nice :)