[ntp:questions] Re: query on ntp-keygen & openssl version

Rainer Orth ro at TechFak.Uni-Bielefeld.DE
Tue Mar 15 17:56:36 UTC 2005

Harlan Stenn <stenn at ntp1.isc.org> writes:

> It is apparently Important that one use the version of OpenSSL that was
> compiled for.

But the current check is way too strict.  See e.g. OpenSSH entropy.c
(init_rng) for the proper way to do this (ignoring differences in the patch
level which don't by design change interfaces).

> Otherwise there can be interface changes and other issues, the net result
> being a security compromise.

This is accounted for by the way OpenSSH handles this.  The strict
dependence on the exact version of OpenSSL compiled against is a
maintenance nightmare.


Rainer Orth, Faculty of Technology, Bielefeld University

More information about the questions mailing list