When the code was originally developed, Crypt::CBC was the best thing
available. When Lincoln Stein moved more towards OpenSSL standards, the
versions weren't backwards compatible.
Using the client with 1.22 or higher didn't work
Upgrading the server to 1.22 broke everyone (over 700 at the time) that
was using 1.20.
In the meantime, we require 1.20, until we can obtain the time to revisit
the issue. Chances are we'll get rid of CBC and DES altogether, and start
using Blowfish, which has stronger encryption, it's faster, and runs on
more platforms (but export laws restricted its use when we developed).
Thanks :)
Mike Bilow wrote:
>
> On Wed, 22 Mar 2000, Bill Gerrard wrote:
>
> > > 1. The whole encryption scheme based upon obsolete versions and
> > > unmaintained Perl modules must be scrapped; it is a house of cards.
> >
> > It wasn't an obsolete version when it was released. Please see the
> > OpenSRS mailing list archives for Lincoln Stein's very message on the
> > subject:
> >
> > http://www.opensrs.org/archives/dev-list/0308.html
>
> I appreciate your point, and I was in the process of reading that archive
> when your message just arrived. In fact, I was reading Lincoln's message.
>
> A couple of issues:
>
> 1. The Crypt::DES module was unsupported when OpenSRS decided to use it.
>
> 2. If the OpenSRS server (which apparently is written in Perl) is upgraded
> to use the current Crypt::CBC library, why would this not work for both
> older and newer clients?
>
> Regardless, some sort of long term solution is needed here. It is crazy
> to lock a protocol to a particular language such as Perl, let alone to a
> particular obsolete version of a particular module.
>
> -- Mike
--Charles Daminato OpenSRS Technical Operations chuck@opensrs.org
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT