Am 24.12.2013 04:03, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 01:16:33AM +0100, li...@rhsoft.net wrote: >>> Deploying digests beyond SHA1 will cause interoperability problems >>> with systems that don't yet support the SHA2 family >> >> Are you aware of systems / mailservers which would have a >> problem with it? > > Yes. Any OpenSSL based MTA, with OpenSSL older April 7 2010: > > OpenSSL_1_0_0-stable (first released as OpenSSL 1.0.0a): > Date: Wed Apr 7 13:18:30 2010 +0000 > Add SHA2 algorithms to SSL_library_init(). Although these aren't used > directly by SSL/TLS SHA2 certificates are becoming more common and > applications that only call SSL_library_init() and not > OpenSSL_add_all_alrgorithms() will fail when verifying certificates. > > OpenSSL_0_9_8-stable (first released as OpenSSL 0.9.8o): > Date: Wed Apr 7 13:19:48 2010 +0000 > > Add SHA2 algorithms to SSL_library_init(). Although these aren't used > directly by SSL/TLS SHA2 certificates are becoming more common and > applications that only call SSL_library_init() and not > OpenSSL_add_all_alrgorithms() will fail when verifying certificates. > > The symptom would be that your certificate chain is not verifiable, > verify error:num=7:certificate signature failure
thank you for that am i right that this does not break opportunistic TLS at a whole for such destinations? in that case i would still go with RSA 3072 / SHA256 for severar reasons * recent distributions ship OpenSSL 1.0.0 or 1.0.1 * RHEL5: openssl-0.9.8e-26.el5_9.1 with backports > which rather makes all those sha256 signatures pointless, since > the whole certificate cannot be verified. in that cases yes, but in context of a wildcard certificate also used for webservers and internally TLS aware services on recent machines the question is how far one needs to be behind >> I am aware of the ironically domain below, but given that the NSA not only >> works on break into foreign systems but also protect US infracsturucture >> they may have a good reason to state 3072 Bit for AES128 >> >> http://www.nsa.gov/business/programs/elliptic_curve.shtml > > The NIST (and/or NSA) recommended key sizes are for an ideal world > without interoperability issues and implementation constraints. > In the real world, you sometimes get better security from less > ideal but more practical configurations. well aware, but somewhere needs to be started technical progress outside whitepapers..............
