[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: use openssl or moznss for more than TLS?

To: "Steve Eckmann" <steve.eckmann@issinc.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Antw: use openssl or moznss for more than TLS?
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Fri, 25 Oct 2013 09:01:39 +0200
Content-disposition: inline
In-reply-to: <1cc760ef909d438ab78baff3ff7547b1@CO1PR04MB442.namprd04.prod.outlook.com>
References: <1cc760ef909d438ab78baff3ff7547b1@CO1PR04MB442.namprd04.prod.outlook.com>

>>> Steve Eckmann <steve.eckmann@issinc.com> schrieb am 25.10.2013 um 04:08 in
Nachricht
<1cc760ef909d438ab78baff3ff7547b1@CO1PR04MB442.namprd04.prod.outlook.com>:
> We need a FIPS-validated SHA512 for password storage. The pw-sha2 module 
> provides SHA512 but isn't FIPS-validated. I see that I can use openssl or 
> moznss in FIPS mode to get TLS, but I don't see how to get to either of those 
> library's crypto functions from openldap. Is it possible?

Hi!

I don't know what you wnat to do, but user's passwords will be significantly weaker than SHA-1 I guess. The only thing is that some algorithms use more random bits for the salt, so the new security actually comes from mor salt, not from longer hashes. Still common passwords (from a dictionary) are problematic...

Like this (both passwords are identical):
mOH0vXSTP9b9c (DES, UNIX standard)
$6$rF2.bjfmxyctx3d2$7pJwHFCgsJPD/nwoA4kUm2aykwpWs3VUO5zZrQzEVWEqgGM0.qSvzkP3fsaJXrDCgjQvw454DkPYAh6Z/BD/p1 (SHA-512)

Regards,
Ulrich

> 
> Thanks.
> 
> Steve

Follow-Ups:
- RE: Antw: use openssl or moznss for more than TLS?
  - From: Steve Eckmann <steve.eckmann@issinc.com>

References:
- use openssl or moznss for more than TLS?
  - From: Steve Eckmann <steve.eckmann@issinc.com>

Prev by Date: Re: Antw: Re: RE24 testing call (OpenLDAP 2.4.37)
Next by Date: RE: Antw: use openssl or moznss for more than TLS?
Index(es):
- Chronological
- Thread