Following a recent "distribution policy : make .md5 optional" thread at 
us...@infra.apache.org and looking at https://en.wikipedia.org/wiki/MD5

"Although MD5 was initially designed to be used as a cryptographic hash function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only against unintentional corruption."

I was wondering so I checked and we no longer use MD5 anywhere but for last 
usable ciphers in Catalina ofbiz-component.xml

I copied that recently from [1] and read now at [2] that MD5 is still used, 
though still almost at the end of the possible default ciphers.

I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to used 
only nowadays reliable ciphers

Maybe we could ask Tomcat user ML for advice, but reading https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff and we will get the same answer from the ML.

What are your opinions? Should we follow [3] suggestion or let it as is OOTB and just warn users about that in a comment? Note that [4] is really complete and interesting, MD5 as a cypher is not recommended there.

[1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html

[2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html

[3] https://s.apache.org/h2vH

[4] https://wiki.mozilla.org/Security/Server_Side_TLS


Reply via email to