On 04/10/2014 12:42 PM, Arpit Srivastava wrote: > 1. Can somebody enumerate what are the differences between OpenSSL and > builin crypto backends ? What benefits do I have if I use OpenSSL and not > the builtin version.
There shouldn't be any easily observable benefits or drawbacks except perhaps for performance. Because of API impedance mismatches, I think the built-in module typically gets the best performance in software, but the story may change if OpenSSL is configured to use hardware accelerators. We have selectable crypto modules because some downstream users have an interest in consolidating crypto implementations for certificational reasons or to more easily address the risk of side-channel attacks. > 2. Is builtin crypto backend completely interoperable with Windows > infrastructure (AD etc) ? There should be no functional differences between the different crypto modules, so to the extent that we are interoperable with Windows on one back end, we should be interoperable with Windows on all of them. > 5. What version of OpenSSL is compliant with krb-1.10 onwards - because I > found some updates relates to Camellia cipher etc. I believe OpenSSL 1.0 or later is required for the openssl crypto module because we use CRYPTO_cts128_encrypt and CRYPTO_cts128_decrypt. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
