On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote:
On 08/20/2017 07:50 PM, Sérgio Basto wrote:
Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship?
The curves and functionality which are disabled in the Fedora packages of OpenSSL are done so for legal reasons.
hum
The very nature of those "legal reasons" makes it difficult to be more specific, as doing so could potentially expose Red Hat to increased liability. I realize this is problematic, but it is the reality we have to work with.
Red Hat is still liable for packages in coprs, so you cannot put a "all source build" of openssl there.
However, I would ask if there is a specific curve that is not enabled in OpenSSL that you need for a specific reason, please let me know, as I am willing to look into the legal specifics around any justified cases to see what we can do.
Yes , some people, I mean, not just me, asked to enable some curves, I had summarize it in [1] . We ask to enable prime192v1, secp224r1 and sect233k1 elliptic curves but the reply was: "I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug. "
So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ?
On other hand, I prefer have a blacklist of legal curves, than a white list like we have today. I think if openssl distribute it, should be a gray area, because if IIRC Debian enable all or at least much more (I have to check that better ...)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843#c5
~tom