Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

Dmitry Butskoy buc at odusz.so-cdu.ru
Thu Jun 24 15:58:18 UTC 2010

Tom "spot" Callaway wrote:
> On 06/21/2010 12:05 PM, Paul Wouters wrote:
>> On Mon, 21 Jun 2010, Tomas Mraz wrote:
>>>> I would be great if we could change the spec file to have a proper flag
>>>> to enable/disable GOST/ECC so that people can easilly rebuild with GOST
>>>> support if they need to (and it is legal for them). Would that be
>>>> legally possible?
>>> This is not possible as the ECC algorithm sources are removed from the
>>> source tarball prior to adding it to the Fedora CVS.
>> Would it still be possible to have the define with a comment to grab the
>> source outside the CVS repo? I am just trying to minimise the work that
>> has to be done and maintained separately from the Fedora openssl.spec file.
> No, sorry.

AFAIK the GOST engine in openssl-1.0 can be compiled as a shared object. 
IOW, we could create openssl-freeworld in rpmfusion etc...

Besides that, the applications should call now some openssl's init 
routine before the use of ssl, else such an extra engine will not be 
determined by the ssl library at runtime (see 
http://www.cryptocom.ru/OpenSource/OpenSSL_eng.html for more info about 
application patches required for "external GOST engine" + openssl-1.0.0).

Dmitry Butskoy

More information about the devel mailing list