On Mon, Jun 03, 2013 at 07:25:24AM -0400, John Foley wrote: > Rather than dropping it from the list, another option would be to > re-prioritize the list. Given MD5 is weak, it should be at the end of > the ClientHello signature algorithms extensions. This would facilitate > backwards compatibility, while improving the security posture when > communicating with peers that support SHA-2 algorithms.
Please note that this is about a CertificateRequest in TLS 1.2. The server gives a list of acceptable signature algorithms, in it's prefered order. MD5 is already last in that list. It's my understanding that if you drop MD5 from that list, you will stop accepting client certificates that use MD5, which really is what I want to do. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
