<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro <span dir="ltr"><<a href="mailto:mcatanzaro@gnome.org" target="_blank">mcatanzaro@gnome.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, I don't have any comment on the issue for your particular software<br>
package, since I don't know how important the security of the TLS is for<br>
that package and I'm not familiar with your compatibility needs.<br>
However, I see the following lines in the patch:<br>
<br>
// Work around ill-considered decision by Fedora to stop allowing<br>
// certificates with MD5 signatures<br>
<br>
It's not an ill-considered decision. Researchers first created a<br>
certificate collision -- a fake cert that's valid for the MD5 signature<br>
that a CA put on another cert -- in *2008*. You can't pretend these are<br>
secure in 2015. If you want to accept MD5 certificates, which might make<br>
sense depending on your compatibility needs, keep that in mind. It's<br>
certainly better than no TLS at all, but won't stop a good attacker.<br></blockquote><div><br></div><div>Just to be clear, it's not my patch :)</div><div><br></div><div>Thanks,</div><div>Richard</div></div><br></div></div>