Re: Incoming DES headache with OpenSSL 3

On Tuesday, March 24, 2020 5:22:27 PM CET Kamil Dudka via curl-library wrote:
> Option C is going to cause a disaster while importing such code to
> enterprise OS distributions because of export control and FIPS-like
> certifications. Let me first ask internally what a preferred choice for
> Red Hat would be...
>
> Kamil

I asked crypto experts at Red Hat and they told me that no immediate action
(like switching to a local DES implementation) should be needed. Please see
their unredacted responses below:

On Tuesday, March 24, 2020 6:12:44 PM CET Tomas Mraz wrote:
> The low level DES function is deprecated, not removed. The removal will
> only happen in OpenSSL 4.0 (if that release comes after at least 5
> years) at the earliest. I do not think they need to do anything with it
> yet.
>
> Also DES might be available through a legacy OpenSSL crypto provider
> even after that time except the API will be different.

On Tuesday, March 24, 2020 6:18:41 PM CET Hubert Kario wrote:
> yes, for data at rest (if only for PKCS#12 files) there will neeed to be a
> way to use old and completely broken algorithms like DES, RC2, RC4, etc.
>
> it may not be as easy as now, but an implementation will have to remain
> there "forever"

So, as I understand it, eliminating the warnings and eventually moving to
a different API of OpenSSL should be sufficient in the near future.

Kamil

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-26