------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674 --- Comment #16 from Phil Pennock <[email protected]> 2009-06-16 00:19:44 --- The OpenSSL developers have a different view of abstraction and where the responsibility boundaries lay. I asked on openssl-dev about this issue, referencing this bug, and they're of the opinion that Exim needs someone who keeps up-to-date on algorithm security weaknesses if Exim is to use OpenSSL. See this thread (multiple web archives, pick your poison): http://markmail.org/search/?q=list:org.openssl.openssl-dev#query:list%3Aorg.openssl.openssl-dev+page:2+mid:7yosrfphbuk2giik+state:results http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/e4b15ce3abd4f1e8# http://marc.info/?l=openssl-dev&m=124503853216248&w=2 http://www.mail-archive.com/[email protected]/msg26021.html (Six mails in thread at time of my updating this bug) So, bite the bullet and enable EVP_sha256 by default, manually, or add my current patch, or both, or neither or ... With the current round of advances in breaks on SHA1, I suspect we really need to get SHA-256 support into Exim 4.70, one way or another, before there's a pre-image attack. But I'm not a cryptanalyst. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
