Rather than dropping it from the list, another option would be to re-prioritize the list. Given MD5 is weak, it should be at the end of the ClientHello signature algorithms extensions. This would facilitate backwards compatibility, while improving the security posture when communicating with peers that support SHA-2 algorithms.
Some may argue that SHA1 should be near the end of the list as well. On 06/02/2013 02:11 PM, Kurt Roeckx via RT wrote: > Hi, > > It seems that tls12_get_req_sig_algs() sends that MD5 is a > supported signature algorithm, except in that case of FIPS. > > Would it make sense to drop MD5 from that list? > > > Kurt > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
<<attachment: foleyj.vcf>>