On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro <mcatanzaro@xxxxxxxxx> wrote:
Hi, I don't have any comment on the issue for your particular software
package, since I don't know how important the security of the TLS is for
that package and I'm not familiar with your compatibility needs.
However, I see the following lines in the patch:
// Work around ill-considered decision by Fedora to stop allowing
// certificates with MD5 signatures
It's not an ill-considered decision. Researchers first created a
certificate collision -- a fake cert that's valid for the MD5 signature
that a CA put on another cert -- in *2008*. You can't pretend these are
secure in 2015. If you want to accept MD5 certificates, which might make
sense depending on your compatibility needs, keep that in mind. It's
certainly better than no TLS at all, but won't stop a good attacker.
Just to be clear, it's not my patch :)
Thanks,
Richard
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
