Re: OpenSSL MD5 verification disabled?

2015-03-17 Thread Corey Sheldon 
doesn't honestly matter  md5 and soon sha1  are insecure /phased out
 inform the patch creator or submit a patch with it if you must use a
insecure hash like md5


Corey W Sheldon
Freelance IT Consultant, Multi-Discipline Tutor
(p) 310.909.7672
G+: https://www.plus.google.com/+CoreySheldon
LinkedIn: https://www.linkedin.com/profile/view?id=70127804
Github: https://www.github.com/linux-modder
Facebook: https://www.facebook.com/corey.sheldon
Several Communities on Stack Exchange https://www.stackexchange.com

http://www.facebook.com/1stclassmobileshine

Tutoring in person or via any of the following platforms:
HackHands https://www.hackhands.com
Wizpert https://www.wizperts.com
FieldNation https://www.fieldnation.com
AirPair https://www.airpair.com
TrueLancer

{PayPal,Google Wallet/Play store, Apple Pay}
-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1

mQSuBFSFm3MRDADMQUFvE2zeREEV2+mARfGttXR0HmamD3kJJMdRmGrtvHpEgTjK
cg8ylpkjRTBOl3pWzrEfoxREnS5Ej6BbGbEdGP8cRgpnACkzVirTDtb6JLatzPzh
4xqpuO6st8ATh7/RkLdsK8R5IzjqvkJ+Q99MGZxBr6w0AaP8KMKe32TU5CzQkSMH
hL+sZQlIVa5kiEbsvrYnYVrlvw9YFsHZQ38mxFyg0A4nmt3L+CBFS4LRdaQmsu07
Qr22aeOYdD4fWKkvEtGsy2MtxIOjqljdPk+lBqBiW3qK9J3DfGLQsVBholJFBMvY
S6aLj6ITDOezJ36hHNlpQmPMOQLShIkP3/dlq7Y2xhyLY/hXG83Pw6WF7kRzF7vG
bSqSDlMlmdnRzulnNtAaE4fzNtBR26oKSfMIwX9NUz4U1wFCVrzrOzEvvU2ZvU3k
ZlpyMdm1fCEdXJt/oOWBVa6PH31TTGaYKl8JH2gQ0Z9DixaTmPS56ch3mbRGMqyz
5PzEtzvaM5b3yzMBAN/guLOJVzGKSqHwEMjhfxwDweHiOS50FAXH8i9w8qyVC/sG
4iFlS/yjH6SBm5DEdAKwIbY5EuFexgyVoVDpCZ65VSspDwoiXaHubOfNYUAEkOFJ
o/YShNMInmajsB7kTlt5mlqsJlU/xAMGH6Zv+f5GIi2k8aDryZr+rHPHqs3lyCkb
7t7041z5mfy9/rJE+U20aVvBh/uUtSMm78CvmTcwdasskEpsiZR2ScuGUgc4ahlF
61dvEnCN+5mrTtPUQPISxtLGDUMhhrrw75z7LafPF6gFmMT/RLcnbrB1xPxPwxWR
m5QpfV6qUNmRoGKnGRlyYkBbLwWRsZRSEtgFHUqb8Y3ghG1rKkEh4paFyPOzbGFo
dZOHR4dsTStu41UE1MAdn41VhTjS/mQjI/CQPCIRPscjI64svBjQria3SV0iDqxb
+Z3ACGoHdKaUI5TiJhJkjEWUjOunUfSnhR124mf7uEIG/1sHJoYonPKTtYNy2mlB
ryZs7kZ3u7V3DV4TPMji3UC8sVV2+9HR2g0xxMEXyTA1AEoQeQIK05BthxX/auoM
AKrGRPvY96RfaO9rNSerJGH+7VGpr/O4UxRDytHzRRfDb9PzMjUSspS6DtSMhk1z
lB2+riyDwQ9HqgFk2PLgnj0LE/k9IxXDxtjjMAGAM1iBRJCsQZzoXfphOtZzU1bd
6teOAW2lsT+rp/+BwU7YxSLnEj0eFJgZTMAgNblLLzh3Cu53FNPauxdhacklYjj3
LO3d0CAkcHMA0ny+zXVoQupabgFLsgvVoSLqPqWVgrd5vS8gGWwvc+b4Q9YLWYpK
qwI9tD6Z5poSbQjJPKJLuJfhiQqMgvjeLZGFnTHe9O5s1+dKInW1DhUH6yq61Exj
0grDevF7vyBBEfxkGVeKPyOd7gy7dXMRUwuaQZZ/yd2vbPv8Vbe4ux5TaltFekYc
/F6bPWB2LwGAbxKchl5O9133C4VM6yO9bb0DiMMZFsJIUlIqnkDREgjMA30n2HZ4
Xzg+aho33VMRhzaE+YTZVfmNSZk7VlM4mprFKeBERycOyUNfU0B6hOwtrwrMp6gZ
47Q0Q29yZXkgU2hlbGRvbiAoRmVkb3JhIEtleSkgPHNoZWxkb24uY29yZXlAZ21h
aWwuY29tPoiABBMRCAAoBQJUhZtzAhsjBQkB4TOABgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRDpWMXWcYv1l0L9APwJ2famE03OlzpOMddQIxsGEnb6cgb4X8ZE
tXNnkfmPZwD9Gt8tXcaLOqiwKjQqyiLRP3SoIqwUAJHe7GciZDZ5A/S5BA0EVIWb
cxAQAK6uQCb9BZLnWUTXZAAKDK0qT2BVOzUBefB3YD5Eixtmdf7mqjxSfs2Mci5D
rGdNZowgA9HnEeIzqg78giit21UlXhqCOt22hj0eO+Q1F401Dr6RFkkN8yQdVI1D
1UePDZQ/zz/fD0miD9KPQxGr6mwGWbn8it5NFHt1EnZMIYkXfS/TJxaMsrGY6Q2F
RLjhQ3f69i0XjqPg1/IFx5C34ds0hw3K47yDTrgqR5pp309FjselYfLkC4z8R6ti
TRbaXMwOhGuk56rEYB7Y6uzdxuQvS1zM/qqqmff3VqjwyCpVgTuqUlpiD8k/e2nq
HB/ZvrOUWgSqT6NKWBn915DlVB5U95jxLFafopI4N12rsEGW7wIgPolXZ2yU8C4S
E5kE84T8ahdHGAP9lHbqPhnA7aO1zuAl6hJB+Dcpt1nbPdqfwWR0FffkUU9kL6Qh
CiV2ZiAx6Eqm8i5pM21aTlYo0RUosK4r0xFTDZ7SR7d7EGjmfO5k+YjoUSlqOvIb
2jNg6+ZD9EFzSEq5QHMViFnMsp1j+nEYiL44GIH4NPnQWCc3/p7vdxje3HTC4eBt
E4Dp4CkTjX4MpiNrUMw57kjahv/nfITsDUcu4WcMc9e0F8GtfIgy/p3XVsXTqdcm
CersMUgFZIbptI/bGwfj713QElkNiah1NGZc52YAmFWO9f4/AAMFD/4mjUWEaW/D
plbV2tyo7w4j9cHT89+uz5R/Q/OOUjY6PhoFfAzfRAiBlOVjGba/IiYig0HJoBW8
r1HDrfO8xHCHCA9NXiBrhCLFnGM+T6m5+5YpMz5jnhv+xvudm0Dg5VxLtcBjo0/j
OUxIHBEcvm0/H3MgABHJc/vTR5n/hNJ6kGRgfgg37qIruE4GOu7BeNABBW+8IIyP
1mXvQl/zIfokAPiDqW9Rmmuj5znOc+UvOX8CcJU/8YQYNIHtCzISkFGtkcz1spET
BL6Bu5WrGbdStHFzoUKpaHQumyaHBBDn0VpJCjiRwf7Gu+LlZ/Wlah4KVo4nhk3k
NsonNqOZjK16UZnrMrdK4VIDLxzCtlrmlmbGLuH8YUmmlxuw0Nt9EiYtpFTiNUQq
Iplu8Me9O9hZ8ZmzlgJ+0tSzlXELOUUOwIgiQs67c9bEn18pHIln4YyrfCvPlhyw
Ke+xXUeGGEXmIrKTjCQrFA9eWs3nPTfTG7xQmGkf93kUZHOJMohDJlpIHQza1uyt
lu2s+s8HXiAHOBh6ZbMloL+Rg4M+w5+eKU2abQCW8QC1v9u3OgKWcZ1jZbYyTCyI
8Y7NQyiE/akAXQiUb1MHIezN7QpzHEpGxDyVr3tEYF26deJ8sVBxzd+m2wSWyFlT
dPyuTxJJFIRCYtK5wpbPhrDlQfwL5riDzIhnBBgRCAAPBQJUhZtzAhsMBQkB4TOA
AAoJEOlYxdZxi/WXW8wA/jWWfofUPZYg3QOquXIR/QDTm/fsQwTx+2vO4nEXRKlq
AP0YOSlkGoCbaeFHgX+RU5lVfHzRyONK5T7RcDTcvJD83A==
=v6Cq
-END PGP PUBLIC KEY BLOCK-





On Tue, Mar 17, 2015 at 12:31 PM, Richard Shaw hobbes1...@gmail.com wrote:

 On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro mcatanz...@gnome.org
 wrote:

 Hi, I don't have any comment on the issue for your particular software
 package, since I don't know how important the security of the TLS is for
 that package and I'm not familiar with your compatibility needs.
 However, I see the following lines in the patch:

 // Work around ill-considered decision by Fedora to stop allowing
 // certificates with MD5 signatures

 It's not an ill-considered decision. Researchers first created a
 certificate collision -- a fake cert that's valid for the

Re: OpenSSL MD5 verification disabled?

2015-03-17 Thread Michael Catanzaro 
Hi, I don't have any comment on the issue for your particular software
package, since I don't know how important the security of the TLS is for
that package and I'm not familiar with your compatibility needs.
However, I see the following lines in the patch:

// Work around ill-considered decision by Fedora to stop allowing
// certificates with MD5 signatures

It's not an ill-considered decision. Researchers first created a
certificate collision -- a fake cert that's valid for the MD5 signature
that a CA put on another cert -- in *2008*. You can't pretend these are
secure in 2015. If you want to accept MD5 certificates, which might make
sense depending on your compatibility needs, keep that in mind. It's
certainly better than no TLS at all, but won't stop a good attacker.

MD5 certificates were phased out years ago, and blocking them does not
cause any compatibility issues for certificates from real CAs anymore.
The logbook site should use SHA-256 instead of MD5. (Note that SHA-1 is
being phased out too!)

Michael

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: OpenSSL MD5 verification disabled?

2015-03-17 Thread Richard Shaw 
On Tue, Mar 17, 2015 at 11:24 AM, Michael Catanzaro mcatanz...@gnome.org
wrote:

 Hi, I don't have any comment on the issue for your particular software
 package, since I don't know how important the security of the TLS is for
 that package and I'm not familiar with your compatibility needs.
 However, I see the following lines in the patch:

 // Work around ill-considered decision by Fedora to stop allowing
 // certificates with MD5 signatures

 It's not an ill-considered decision. Researchers first created a
 certificate collision -- a fake cert that's valid for the MD5 signature
 that a CA put on another cert -- in *2008*. You can't pretend these are
 secure in 2015. If you want to accept MD5 certificates, which might make
 sense depending on your compatibility needs, keep that in mind. It's
 certainly better than no TLS at all, but won't stop a good attacker.


Just to be clear, it's not my patch :)

Thanks,
Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

OpenSSL MD5 verification disabled?

2015-03-17 Thread Richard Shaw 
I've got a new BZ report for my package TrustedQSL which uses OpenSSL to
very a certificate used for uploading ham radio contacts to an online
logbook. The system uses MD5 which appears to be disabled in F21+.

https://bugzilla.redhat.com/show_bug.cgi?id=1202157

I don't like the workaround specified in the BZ but I don't see an
alternative so I would like to get some input from others who are better
versed in how OpenSSL works.

Thanks,
Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: OpenSSL MD5 verification disabled?

2015-03-17 Thread Tomas Mraz 

On 17.3.2015 17:00, Richard Shaw wrote:

I've got a new BZ report for my package TrustedQSL which uses OpenSSL to
very a certificate used for uploading ham radio contacts to an online
logbook. The system uses MD5 which appears to be disabled in F21+.

https://bugzilla.redhat.com/show_bug.cgi?id=1202157

I don't like the workaround specified in the BZ but I don't see an
alternative so I would like to get some input from others who are better
versed in how OpenSSL works.


Hi,
there is no other workaround. And they should not use MD5 signed 
certificates - they are insecure.


Regards,
Tomas Mraz

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct