Hi, I don't have any comment on the issue for your particular software package, since I don't know how important the security of the TLS is for that package and I'm not familiar with your compatibility needs. However, I see the following lines in the patch: // Work around ill-considered decision by Fedora to stop allowing // certificates with MD5 signatures It's not an ill-considered decision. Researchers first created a certificate collision -- a fake cert that's valid for the MD5 signature that a CA put on another cert -- in *2008*. You can't pretend these are secure in 2015. If you want to accept MD5 certificates, which might make sense depending on your compatibility needs, keep that in mind. It's certainly better than no TLS at all, but won't stop a good attacker. MD5 certificates were phased out years ago, and blocking them does not cause any compatibility issues for certificates from real CAs anymore. The logbook site should use SHA-256 instead of MD5. (Note that SHA-1 is being phased out too!) Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
