------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674
--- Comment #16 from Phil Pennock <exim-dev@???> 2009-06-16 00:19:44 ---
The OpenSSL developers have a different view of abstraction and where the
responsibility boundaries lay. I asked on openssl-dev about this issue,
referencing this bug, and they're of the opinion that Exim needs someone who
keeps up-to-date on algorithm security weaknesses if Exim is to use OpenSSL.
See this thread (multiple web archives, pick your poison):
http://markmail.org/search/?q=list:org.openssl.openssl-dev#query:list%3Aorg.openssl.openssl-dev+page:2+mid:7yosrfphbuk2giik+state:results
http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/e4b15ce3abd4f1e8#
http://marc.info/?l=openssl-dev&m=124503853216248&w=2
http://www.mail-archive.com/openssl-dev@openssl.org/msg26021.html
(Six mails in thread at time of my updating this bug)
So, bite the bullet and enable EVP_sha256 by default, manually, or add my
current patch, or both, or neither or ...
With the current round of advances in breaks on SHA1, I suspect we really need
to get SHA-256 support into Exim 4.70, one way or another, before there's a
pre-image attack. But I'm not a cryptanalyst.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
