Should we settle on one SSL implementation?

Robert Relyea rrelyea at redhat.com
Tue Oct 23 17:29:17 UTC 2007


Simo Sorce wrote:
> On Tue, 2007-10-23 at 16:11 +0100, Daniel P. Berrange wrote:
>   
>> Well for that matter GLibC itself has MD5 in it....
>>     
>
> Quick! Make it depend on NSS! :-)
>   
in progress.;).
> /simo with 3 packages with the same bug filed I can't possibly fix as
> NSS simply do not have the relevant algorithms ...
>   
Which algorithms are missing?

If MD4 is one of the algorithms,  We have a plan for that. MD4 is 
fundamentally broken, has been for 10 years. There is only one 
legitimate use of MD4 that I know of and that is support NTLM 
(Microsoft's old NT authentication mechanism). In this case we need a 
common NTLM library that all NTLM users call. Any other use of MD4 needs 
to be identified and potentially squashed. Blind use of MD4 is 
detrimental to the security of our products.

If your product used MD4 for NTLM, we need a bug to create our common 
NTLM library (probably means take and existing library and make it the 
standard), and make your conversion depended on that library. If your 
package used MD4 for something other than NTLM, we need to look at that 
usage specifically to see if it's a security issue.

bob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3420 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20071023/cc5f60d9/attachment.bin>


More information about the fedora-devel-list mailing list