[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?

Simo Sorce wrote:
On Tue, 2007-10-23 at 16:11 +0100, Daniel P. Berrange wrote:
Well for that matter GLibC itself has MD5 in it....

Quick! Make it depend on NSS! :-)
in progress.;).
/simo with 3 packages with the same bug filed I can't possibly fix as
NSS simply do not have the relevant algorithms ...
Which algorithms are missing?

If MD4 is one of the algorithms, We have a plan for that. MD4 is fundamentally broken, has been for 10 years. There is only one legitimate use of MD4 that I know of and that is support NTLM (Microsoft's old NT authentication mechanism). In this case we need a common NTLM library that all NTLM users call. Any other use of MD4 needs to be identified and potentially squashed. Blind use of MD4 is detrimental to the security of our products.

If your product used MD4 for NTLM, we need a bug to create our common NTLM library (probably means take and existing library and make it the standard), and make your conversion depended on that library. If your package used MD4 for something other than NTLM, we need to look at that usage specifically to see if it's a security issue.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]