> I now have reason to believe that they just removed MD5 from known > signing algorithms, and that a SHA1 will work. Anyone know anything > about this?
There's an exploit for the MD5 version. It looks pretty serious and
deserves to be fixed by disabling the MD5 signing algorithm.
www.phreedom.org/research/rogue-ca/
What exactly did you change in /sys/src/libsec/port/x509.c? I had a
quick look this morning, but I didn't have the opportunity to dig deep
enough.
Lucio.
