On 8.1.2016 13:56, Fraser Tweedale wrote:
> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
>> > Hi Fraser and other X.509 SMEs,
>> > I wanted to check with you on what we have or plan to have with respect to
>> > certificate/cipher strength in FreeIPA.
>> > When I visit the FreeIPA public demo for example, I usually see following
>> > errors with recent browsers:
>> > * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete
>> > cypher
>> > suite.
>> > - The connection uses TLS 1.2
>> > - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for
>> > message
>> > authentication and RSA as the key exchange mechanism
HMAC-SHA1 reminded me recently published paper:
It claims that all MD5 and SHA1 uses should be eliminated if feasible.
> ... So, if you can afford to do so, get rid of MD5 and SHA1 in all your
> protocol configurations.
I have no idea if we can do that, but we should at least try ...
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code