[Ach] Killing openssl cruft compile time
Hanno Böck
hanno at hboeck.de
Wed Apr 23 12:48:18 CEST 2014
Hi,
I'm currently trying to build a stripped-down openssl. The basic idea
is obvious: Everything that isn't supported by my libs won't be used
and won't provide any attack surface.
I'm on Gentoo so replacing openssl with a self-compiled version is a bit
easier than on other distros.
What seems to work reasonably well so far:
* Disable heartbeat
* Disable zlib-support / compression
* Disable SSL3
* Disable IDEA, RC2, RC5, MD2, MD4, CAST, SEED, GOST algs
What causes trouble:
* Disabling MD5 (openssl won't compile)
* Disabling DSS or RC4 (openssl will compile, but openssh won't compile
against an openssl without these algs)
I already disabled heartbeat on my servers. If I don't see issues
popping up I'll probably deploy the other changes to my servers soon.
Any others with experience with this? Any other things you'd disable?
If you want to test, Gentoo ebuild here:
https://svn.hboeck.de/overlay/dev-libs/openssl
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140423/1900013e/attachment.sig>
More information about the Ach
mailing list