OpenSSL MD5 verification disabled?

Richard Shaw hobbes1069 at
Tue Mar 17 16:31:42 UTC 2015

On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro <mcatanzaro at>

> Hi, I don't have any comment on the issue for your particular software
> package, since I don't know how important the security of the TLS is for
> that package and I'm not familiar with your compatibility needs.
> However, I see the following lines in the patch:
> // Work around ill-considered decision by Fedora to stop allowing
> // certificates with MD5 signatures
> It's not an ill-considered decision. Researchers first created a
> certificate collision -- a fake cert that's valid for the MD5 signature
> that a CA put on another cert -- in *2008*. You can't pretend these are
> secure in 2015. If you want to accept MD5 certificates, which might make
> sense depending on your compatibility needs, keep that in mind. It's
> certainly better than no TLS at all, but won't stop a good attacker.

Just to be clear, it's not my patch :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the devel mailing list