Toke Høiland-Jørgensen toke@toke.dk wrote Fri, 23 Sep 2016 15:18:10 +0200:
I'm maintaining a radsecproxy package for OpenWRT/LEDE which runs openssl 1.0.2h. Keeping compatibility with that would be nice :)
The least painful way of supporting 1.0.2 that I've found is to stop using libcrypto (from OpenSSL) for MD5 and HMAC(MD5).
The openssl11 branch [1] now uses libnettle instead. Please give it a try with 1.0.2 and let me know if things still work well for you. Don't forget to try to authenticate some users and please test both succesful and failing authentication attempts. There's a chance for actual breakage here.
[1] https://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/openssl11
Well, it compiles on openwrt at least (or rather, the master branch does). However, pulling in two crypto libraries on an embedded platform is not ideal. Would it be feasible to drop openssl entirely in favour of libnettle? Or maybe something like mbedtls (formerly polarssl; https://tls.mbed.org/)?
What are the issues with two libraries? Size? Assuming you're linking statically I wouldn't expect the few libnettle functions to be too expensive. But I haven't checked closely.
Nettle does crypto stuff but no TLS so something like mbedtls or any of the other TLS libraries would indeed be needed. Depending on their API, they might be more or less complicated to use as a drop in replacement for OpenSSL. Please let me know if you get something working (but I have to admit that I'm not overly eager on supporting another TLS library.) And oh, beware of the multithreaded nature of this program!