[ntp:questions] Re: query on ntp-keygen & openssl version
Rainer Orth
ro at TechFak.Uni-Bielefeld.DE
Tue Mar 15 17:56:36 UTC 2005
Harlan Stenn <stenn at ntp1.isc.org> writes:
> It is apparently Important that one use the version of OpenSSL that was
> compiled for.
But the current check is way too strict. See e.g. OpenSSH entropy.c
(init_rng) for the proper way to do this (ignoring differences in the patch
level which don't by design change interfaces).
> Otherwise there can be interface changes and other issues, the net result
> being a security compromise.
This is accounted for by the way OpenSSH handles this. The strict
dependence on the exact version of OpenSSL compiled against is a
maintenance nightmare.
Rainer
--
-----------------------------------------------------------------------------
Rainer Orth, Faculty of Technology, Bielefeld University
More information about the questions
mailing list