[exim-dev] [Bug 674] exim can't verify sha256WithRSAEncrypti…

Góra strony
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
Dla: exim-dev
Stare tematy: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
Temat: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #16 from Phil Pennock <exim-dev@???> 2009-06-16 00:19:44 ---
The OpenSSL developers have a different view of abstraction and where the
responsibility boundaries lay. I asked on openssl-dev about this issue,
referencing this bug, and they're of the opinion that Exim needs someone who
keeps up-to-date on algorithm security weaknesses if Exim is to use OpenSSL.

See this thread (multiple web archives, pick your poison):

http://markmail.org/search/?q=list:org.openssl.openssl-dev#query:list%3Aorg.openssl.openssl-dev+page:2+mid:7yosrfphbuk2giik+state:results

http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/e4b15ce3abd4f1e8#

http://marc.info/?l=openssl-dev&m=124503853216248&w=2

http://www.mail-archive.com/openssl-dev@openssl.org/msg26021.html

(Six mails in thread at time of my updating this bug)

So, bite the bullet and enable EVP_sha256 by default, manually, or add my
current patch, or both, or neither or ...

With the current round of advances in breaks on SHA1, I suspect we really need
to get SHA-256 support into Exim 4.70, one way or another, before there's a
pre-image attack. But I'm not a cryptanalyst.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email