I'll have a look at where/how the fingerprint method is used, if necessary I'll 
upgrade it to use SHA-256. Thanks for the pointers.


From: John Kinsella <>
Sent: 02 December 2016 13:12:12
Subject: Re: [DISCUSS] Bountycastle upgrade

2 thoughts:

1) I know this is partially git’s fault on the diff, and i know this is a 
standard gripe from me, but for reviewers things are much easier if 
syntax/whitespace changes are separated out into a separate patch from 
2) One thing that caught my eye was the SHA-1 use on the fingerprint. That got 
me looking around the codebase, and I see SHA-1/SHA1 sprinkled around. It’s not 
considered secure anymore [1]. Some of the uses are just for naming, that’s 
fine. I don’t think any of the use I saw was OMGFIXNOW. But at some point might 
be nice to replace all that with SHA-256. Would require a data migration, 
3) Awesome, run with it. :)

53 Chandos Place, Covent Garden, London  WC2N 4HSUK

> On Dec 1, 2016, at 10:17 PM, Rohit Yadav <> wrote:
> All,
> I've sent a PR that will upgrade bountycastle dependency to the latest 
> version [1]. In terms of security, an upgrade is necessary though it would 
> also require for users (who are upgrading to, or later) to 
> destroy old systemvms such as CPVM and SSVM so the agents that will be 
> started in new system vms will use the same dependency jar (version/release) 
> and use the same cipher suites as the mgmt server (i.e. there will be no 
> SSL-based communication issue afterwards) as provided by bountycastle v1.55.
> Thoughts, feedback?
> [1]
> Regards.
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue

Reply via email to