OpenSSL MD5 verification disabled?
Richard Shaw
hobbes1069 at gmail.com
Tue Mar 17 16:31:42 UTC 2015
On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro <mcatanzaro at gnome.org>
wrote:
> Hi, I don't have any comment on the issue for your particular software
> package, since I don't know how important the security of the TLS is for
> that package and I'm not familiar with your compatibility needs.
> However, I see the following lines in the patch:
>
> // Work around ill-considered decision by Fedora to stop allowing
> // certificates with MD5 signatures
>
> It's not an ill-considered decision. Researchers first created a
> certificate collision -- a fake cert that's valid for the MD5 signature
> that a CA put on another cert -- in *2008*. You can't pretend these are
> secure in 2015. If you want to accept MD5 certificates, which might make
> sense depending on your compatibility needs, keep that in mind. It's
> certainly better than no TLS at all, but won't stop a good attacker.
>
Just to be clear, it's not my patch :)
Thanks,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150317/5a32fec0/attachment.html>
More information about the devel
mailing list