curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Incoming DES headache with OpenSSL 3

From: Kamil Dudka via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 24 Mar 2020 17:22:27 +0100

On Tuesday, March 24, 2020 4:43:00 PM CET Daniel Stenberg via curl-library
wrote:
> Hi friends!
>
> The current git master of OpenSSL gives us some clues of what's going to
> happen when OpenSSL version 3 ships, planned for Q3 2020 I believe. I make a
> curl build against that every once in a while to see if anything falls
> over.
>
> This time several things did, while two if the issues were easily worked
> around there's a third one that might need some thoughts:
>
> 1. SSL_CTX_load_verify_locations() is deprecated, but the replacement
> functions seem easy to use instead.
>
> 2. The MD4 functions are deprecated, but since we have private MD4 code
> already it is easy to switch to using that instead.
>
> Now for the one that gives me problems:
>
> 3. The DES functions are deprecated. Meaning they're marked as such in the
> public headers and they will cause compiler warnings when used and if we
> build curl with -Werror we get build errors.
>
> I presume the DES functions are going away because DES is a notoriously week
> and crappy cipher. curl uses DES for the NTLM implementation, and while it
> is a very icky authentication protocol and complicated to get right in the
> code, I get the feeling there are still quite a few curl users using NTLM.
>
> So what do we do? I can think of at least 4 different ways to go with this,
> each choice with its own set of baggage to carry:
>
> A) Live with (and work around) the compiler warnings as long as we can link
> fine. (We don't know for how long that'll work.)
>
> B) Disable NTLM when OpenSSL version 3 or later is used
>
> C) Import DES code (as we have done for MD4 and MD5) and build with that
> code when OpenSSLv3 is used.
>
> D) Use another 3rd party DES lib (which?) when OpenSSLv3 is used.
>
> E) Other: ________
>
> I think I personally am in the C or D camp for the moment.
>
> Thoughts?

Option C is going to cause a disaster while importing such code to enterprise
OS distributions because of export control and FIPS-like certifications. Let
me first ask internally what a preferred choice for Red Hat would be...

Kamil

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-24