sthomas-github
commented
9 years ago If I should instead be posting this to https://github.com/joyent/node/issues, please let me know.
Closed sthomas-github closed 9 years ago
sthomas-github
commented
9 years ago If I should instead be posting this to https://github.com/joyent/node/issues, please let me know.
sthomas-github
commented
9 years ago My apologies, I clicked the wrong button and closed the issue by mistake. --Steve
bnoordhuis
commented
9 years ago MDC2 and RC5 are disabled by default. IDEA is enabled, however. You can check yourself with iojs -p 'require("crypto").getCiphers()'.
If you want to disable IDEA, you can add OPENSSL_NO_IDEA to the defines in deps/openssl/openssl.gyp.
sthomas-github
commented
9 years ago Thanks, Ben.
Re: IDEA, I take it that we would need to recompile Node after adjusting the openssl.gyp file, or do I have that wrong? Can it be disabled otherwise in javascript code without rebuilding?
I don't know as much about the legal status of IDEA, so I will need to look into that in more detail.
Thanks again!
sthomas-github
commented
9 years ago Some information on IDEA: http://www.quadibloc.com/crypto/co040302.htm
bnoordhuis
commented
9 years ago You'd have to recompile, yes.
sthomas-github
commented
9 years ago Thanks, Ben. Your help is much appreciated. --Steve
sthomas-github
commented
9 years ago When I run the getCiphers() command above, I don't see RC5 or MDC2, as Ben indicated. I do get a few IDEA-based ciphers:
'idea', 'idea-cbc', 'idea-cfb', 'idea-ecb', 'idea-ofb',
It looks like I might be able to exclude the IDEA algorithm from the ciphers used, as shown on this page, where !RC4 is used (as an example). Perhaps I could do the same with !IDEA. I'll give that a try, and if it works, perhaps that will be sufficient for the lawyers.
rvagg
commented
9 years ago please take this to the new https://github.com/nodejs/node repo if it's still valid for discussion
bnoordhuis
commented
9 years ago For posterity, I had a typo in my comment: it said OPENSSL_NO_ASM instead of OPENSSL_NO_IDEA. Updated.
Hi,
I posted this question in the Node.js mailing list, but think it could have implications for how Node.js is built and distributed, so copying here. It may just be an issue of clarification on my part.
I'm writing to ask about OpenSSL as a dependency of Node.js and specifically RC5 encryption. We were asked today by one of our lawyers if RC5 is included in the NodeJS distribution for Windows. He understood that Node included OpenSSL and was concerned that it might also be distributing the RC5 algorithm and other patent-protected algorithms. The OpenSSL FAQ page, for example, mentions these algorithms in passing:
Also, while I'm not very familiar with the guts of NodeJS and don't often traffic at that level, if I search the GitHub repo, RC5 turns up a few times, e.g. in this file, which appears as though it is linked in for Windows.
An issue was raised a while back that mentioned this as a concern in the context of FreeBSD and proposed removing or disabling RC5 as well as some other algorithms, but this doesn't appear to have been merged.
Anyway, that's all I've been able to find. I'm not looking for legal advice, but rather information on whether RC5 (and perhaps IDEA and MDC2 as well) are (1) distributed and (2) enabled (by default or not) in the NodeJS distribution for Windows. If so, how could we prevent their use in the code, disable them, and preferably remove them from the distribution. If not, and you can provide a reference that I can pass on, I would be very grateful.
Since writing that post, I think the same question is relevant for *nix platforms. A small percentage of our customers are running Ubuntu or RHEL, so would appreciate insight for those platforms, also, if any different than the Windows discussion.
Thanks in advance,
Steve ... Steve Thomas Pittsburgh, PA