[ntp:questions] Re: query on ntp-keygen & openssl version

Brian Inglis Brian.Inglis at SystematicSW.Invalid
Wed Mar 16 01:11:19 UTC 2005


On 15 Mar 2005 18:56:36 +0100 in comp.protocols.time.ntp, Rainer Orth
<ro at TechFak.Uni-Bielefeld.DE> wrote:

>Harlan Stenn <stenn at ntp1.isc.org> writes:
>
>> It is apparently Important that one use the version of OpenSSL that was
>> compiled for.
>
>But the current check is way too strict.  See e.g. OpenSSH entropy.c
>(init_rng) for the proper way to do this (ignoring differences in the patch
>level which don't by design change interfaces).
>
>> Otherwise there can be interface changes and other issues, the net result
>> being a security compromise.
>
>This is accounted for by the way OpenSSH handles this.  The strict
>dependence on the exact version of OpenSSL compiled against is a
>maintenance nightmare.

Can't this be handled by symlinks to dynamic libraries, or else by a
simple patch to the checking code? 

-- 
Thanks. Take care, Brian Inglis 	Calgary, Alberta, Canada

Brian.Inglis at CSi.com 	(Brian[dot]Inglis{at}SystematicSW[dot]ab[dot]ca)
    fake address		use address above to reply



More information about the questions mailing list