[ntp:questions] Re: query on ntp-keygen & openssl version
mayer at gis.net
Wed Mar 16 03:01:23 UTC 2005
At 08:11 PM 3/15/2005, Brian Inglis wrote:
>On 15 Mar 2005 18:56:36 +0100 in comp.protocols.time.ntp, Rainer Orth
><ro at TechFak.Uni-Bielefeld.DE> wrote:
> >Harlan Stenn <stenn at ntp1.isc.org> writes:
> >> It is apparently Important that one use the version of OpenSSL that was
> >> compiled for.
> >But the current check is way too strict. See e.g. OpenSSH entropy.c
> >(init_rng) for the proper way to do this (ignoring differences in the patch
> >level which don't by design change interfaces).
> >> Otherwise there can be interface changes and other issues, the net result
> >> being a security compromise.
> >This is accounted for by the way OpenSSH handles this. The strict
> >dependence on the exact version of OpenSSL compiled against is a
> >maintenance nightmare.
>Can't this be handled by symlinks to dynamic libraries, or else by a
>simple patch to the checking code?
I'm a little startled to hear this is in the code. I will check on this. It
probably shouldn't do it. I'm not sure when I can get to it.
More information about the questions