Re: OpenSRS crypto lib compatibility

From: Coolfred Internet Services (coolfred@coolfred.org)
Date: Fri Mar 24 2000 - 03:32:07 EST

Next message: mpg4@duluoz.net: "New PHP client release"
Previous message: bill@daze.net: "Re: No lookups"
Maybe in reply to: Mike Bilow: "OpenSRS crypto lib compatibility"
Next in thread: Colin Viebrock: "RE: I think we need a more detailed spec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--- Charles Daminato <chuck@opensrs.org> wrote:
>When the code was originally developed, Crypt::CBC was the best thing
>available. When Lincoln Stein moved more towards OpenSSL standards, the
>versions weren't backwards compatible.
>
>Using the client with 1.22 or higher didn't work
>Upgrading the server to 1.22 broke everyone (over 700 at the time) that
>was using 1.20.
>
>In the meantime, we require 1.20, until we can obtain the time to revisit
>the issue. Chances are we'll get rid of CBC and DES altogether, and start
>using Blowfish, which has stronger encryption, it's faster, and runs on
>more platforms (but export laws restricted its use when we developed).
>
>Thanks :)
>
>Mike Bilow wrote:
>>
>> On Wed, 22 Mar 2000, Bill Gerrard wrote:
>>
>> > > 1. The whole encryption scheme based upon obsolete versions and
>> > > unmaintained Perl modules must be scrapped; it is a house of cards.
>> >
>> > It wasn't an obsolete version when it was released. Please see the
>> > OpenSRS mailing list archives for Lincoln Stein's very message on the
>> > subject:
>> >
>> > http://www.opensrs.org/archives/dev-list/0308.html
>>
>> I appreciate your point, and I was in the process of reading that archive
>> when your message just arrived. In fact, I was reading Lincoln's message.
>>
>> A couple of issues:
>>
>> 1. The Crypt::DES module was unsupported when OpenSRS decided to use it.
>>
>> 2. If the OpenSRS server (which apparently is written in Perl) is upgraded
>> to use the current Crypt::CBC library, why would this not work for both
>> older and newer clients?
>>
>> Regardless, some sort of long term solution is needed here. It is crazy
>> to lock a protocol to a particular language such as Perl, let alone to a
>> particular obsolete version of a particular module.
>>
>> -- Mike
>
>--
>
>Charles Daminato
>OpenSRS Technical Operations
>chuck@opensrs.org

Interestingly enough, an IRC BOT called eggdrop which
is written in C uses Blowfish to encrypt passwords for
channel security. I wonder which is more important, a chat
password or a password to a domain name! :)

Farhad Sadeghi
Coolfred Internet Services
http://www.coolfred.net

_____________________________________________________________
Email Powered by Everyone.net

Next message: mpg4@duluoz.net: "New PHP client release"
Previous message: bill@daze.net: "Re: No lookups"
Maybe in reply to: Mike Bilow: "OpenSRS crypto lib compatibility"
Next in thread: Colin Viebrock: "RE: I think we need a more detailed spec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT