On Mon, Jan 7, 2013 at 10:03 PM, Alex Harvey <alexharv...@gmail.com> wrote: > On Tuesday, January 8, 2013 6:19:40 AM UTC+11, Andy Parker wrote: >> On Sat, Jan 5, 2013 at 8:28 AM, Alex Harvey <alexh...@gmail.com> wrote: > > I am yet to fully get my head around what to_pson is used for. However, I > am wondering if this move to FIPS 140-2 compliance and Jeff's comment about > ruby segfaulting when using MD5 means I should handle a case where neither > SHA1 nor SHA256 is available differently.
So, the deal with FIPS 140-2 is that they made it a failing grade for your crypto library to support MD5, full stop. So, if OpenSSL is compiled in FIPS 140-2 compliant mode, MD5 is unavailable. Ruby blindly assumes that it exists. It also assumes that SHA1 and friends exist based on the date version of OpenSSL, without a check on the FIPS 140-2 status. They might fix their bug and stop segfaulting, but you absolutely need to be concerned that the SHA1 algorithm may not exist for long; it has shown some weakness, and the US government are slowly moving away from it to other algorithms. The SHA3 process was part of that. I have no strong opinion here, just that information. :) -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
