On Fri, 8 Jul 2022 12:18:39 +0000 Rob Stradling <[email protected]> wrote:
> Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA > code, but it was possible for distro maintainers to easily disable > this during the build process. I know that Red Hat did this due to > ECC patent concerns, and I've always assumed that Debian did too. > > Have you looked into whether or not Debian's 2008 OpenSSL build > process started with something like this... It doesn't. Check here, which is one of the versions in the affected timeframe: https://snapshot.debian.org/package/openssl/0.9.8g-3/ openssl_0.9.8g-3.diff.gz adds a few no-* options to the compilation, but not no-ec. Also given I actually created ec keys with those affected versions I am pretty sure they haven't disabled it :-) -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220708142958.7f462067%40computer.
