-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/07/2010 23:26:03, Matthias Andree wrote: > Am 06.07.2010, 21:00 Uhr, schrieb Matthew Seaman: > >> On 06/07/2010 15:14:28, Andrew Reilly wrote: >>> So: how should I "fix" this, properly, on my -current system? Is it >>> as simple as installing heimdal from ports? I can't remove openssl-1.0: >>> that has 191 ports listed in its REQUIRED_BY file. >> >> Rebuild the port of openssl-1.0.0 after modifying the OPTIONS to include >> MD2=on ? > > Not good given that MD2 is broken. Very broken, not just by a factor of > 2^5 or something. > > Where upon rests the earlier assertion (not by Matthew) that Kerberos V > needed MD2 checksums? > I can't seem to find that in the KRB5 protocol and checksum RFCs. If > it's not mandatory we may want to nuke MD2 from Kerberos to remedy a > weakness... Chapter and Verse welcome. Yeah. Even so, lots of software still expects it to be present and won't link without it. I hope no one is actually using it, or running with a cipher configuration that would permit it to be used. Cleaning all reliance on MD2 out of the ports and base would make a very good project for a bunch of people, and pushing those changes upstream would certainly help make the internet a better place. Probably should start with an experimental run on a tinderbox somewhere trying to build all ports that are OpenSSL consumers against security/openssl with MD2 turned off. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew_at_infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkw0CfsACgkQ8Mjk52CukIzTAQCeOmkWeudx4UCnxI5wFBNrcAuY x80AnivuyK8mPfOPHPUe7Y95uMMpUSVo =PHpX -----END PGP SIGNATURE-----Received on Wed Jul 07 2010 - 03:00:57 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:05 UTC