23 Σεπ 2016, 23:14, ο/η Linus Nordberg linus@nordu.net έγραψε:
Toke Høiland-Jørgensen toke@toke.dk wrote Fri, 23 Sep 2016 18:56:48 +0200:
Linus Nordberg linus@nordu.net writes:
Toke Høiland-Jørgensen toke@toke.dk wrote Fri, 23 Sep 2016 15:18:10 +0200:
I'm maintaining a radsecproxy package for OpenWRT/LEDE which runs openssl 1.0.2h. Keeping compatibility with that would be nice :)
The least painful way of supporting 1.0.2 that I've found is to stop using libcrypto (from OpenSSL) for MD5 and HMAC(MD5).
The openssl11 branch [1] now uses libnettle instead. Please give it a try with 1.0.2 and let me know if things still work well for you. Don't forget to try to authenticate some users and please test both succesful and failing authentication attempts. There's a chance for actual breakage here.
[1] https://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/openssl11%3...
Well, it compiles on openwrt at least (or rather, the master branch does). However, pulling in two crypto libraries on an embedded platform is not ideal. Would it be feasible to drop openssl entirely in favour of libnettle? Or maybe something like mbedtls (formerly polarssl; https://tls.mbed.org/)?%3E
What are the issues with two libraries? Size? Assuming you're linking statically I wouldn't expect the few libnettle functions to be too expensive. But I haven't checked closely.
Static linking? Blasphemy! ;) But no, I don't have hard numbers on the size differences either way. And this is not something that's bothering me enough to write code. Just thought I'd point it out as a consideration for when you're doing house-cleaning and/or planning future development directions :)
It's a good point and one that I didn't consider when adding libnettle as an unconditional dependency. Actually, I'm not thinking of radsecproxy as something living on anything smaller than a "server" in a "data center". Anyone else running radseproxy under more constrained environment?
Sure, on a number of TP-Link APs. Works like a charm for "mobile" eduroam. If it wasn't for OpenSSL it would even fit on MR3020 (the ripe atlas v3 board).
:)
(Last time I looked at embedded, shared libraries were out of the question. Since then, I guess there are more flavours to consider than "embedded" and "not embedded". :))
radsecproxy mailing list radsecproxy@lists.nordu.net https://lists.nordu.net/listinfo/radsecproxy