On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro <mcatanz...@gnome.org> wrote:
> Hi, I don't have any comment on the issue for your particular software > package, since I don't know how important the security of the TLS is for > that package and I'm not familiar with your compatibility needs. > However, I see the following lines in the patch: > > // Work around ill-considered decision by Fedora to stop allowing > // certificates with MD5 signatures > > It's not an ill-considered decision. Researchers first created a > certificate collision -- a fake cert that's valid for the MD5 signature > that a CA put on another cert -- in *2008*. You can't pretend these are > secure in 2015. If you want to accept MD5 certificates, which might make > sense depending on your compatibility needs, keep that in mind. It's > certainly better than no TLS at all, but won't stop a good attacker. > Just to be clear, it's not my patch :) Thanks, Richard
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct