brandonkimbk
commented
2 years ago Thanks for the heads up Patrick. I believe @FighterNan worked on that piece with the security folks, I'll see if he can own cleaning up that piece.
Open williamspatrick opened 2 years ago
brandonkimbk
commented
2 years ago Thanks for the heads up Patrick. I believe @FighterNan worked on that piece with the security folks, I'll see if he can own cleaning up that piece.
FighterNan
commented
2 years ago Thanks, let me bring that up with security teams.
williamspatrick
commented
2 years ago Thanks, let me bring that up with security teams.
Just to be sure there is no confusion. You don’t have to stop using SHA256 hash necessarily, but they have changed the primary API for doing hashes and the currently used API is deprecated. I did work across the rest of the codebase in about Sept/Oct last year to port it all to the OpenSSL3 APIs.
FighterNan
commented
2 years ago Yes, I understand that. Reference the doc of SHA256_Init below.
"All of the functions described on this page except for SHA1(), SHA224(), SHA256(), SHA384() and SHA512() are deprecated. Applications should instead use EVP_DigestInit_ex(3), EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot function EVP_Q_digest(3). SHA1(), SHA224(), SHA256(), SHA384(), and SHA256() can continue to be used. They can also be replaced by, e.g.,"
I noticed this being used as a hack to enable compile with OpenSSL3. OpenSSL3 is available everywhere in the org now (including in the Docker container), so we should probably remove the SSLv1 interfaces. I'm slightly concerned this is going to end up becoming a Yocto update blocker at some point in the not too distant future, so it would be best if this could be done in the next few months.