Mailing List Archive: exim: dev

[Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL

Index | Next | Previous | View Threaded

exim-dev at spodhuis

Jun 14, 2009, 7:57 PM

Post #1 of 2 (535 views)
Permalink

[Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674

--- Comment #15 from Phil Pennock <exim-dev[at]spodhuis.org> 2009-06-15 03:57:24 ---
(In reply to comment #14)
> thanks a lot for this information. No doubt it's the cleanest solution if
> OpenSSL loads SHA256 by default.

I've been thinking about this some just recently; my opinion has shifted
somewhat. I still think that the patch I previously provided is the best
solution.

However, openssl-1.0.0-beta2 is out and it still does not enable SHA-256 by
default, even though it's in standards-tracks for default usage, as noted
above. More and more, I'm seeing real world usage shift towards sha-256 away
from SHA-1 or even MD5.

Exim *shouldn't* be getting involved in policy and loading SHA-256 manually,
but I think that pragmatically we're going to have to.

Tony, Nigel, any thoughts on this?

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

exim-dev at spodhuis

Jun 15, 2009, 4:19 PM

Post #2 of 2 (476 views)
Permalink

[Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674

--- Comment #16 from Phil Pennock <exim-dev[at]spodhuis.org> 2009-06-16 00:19:44 ---
The OpenSSL developers have a different view of abstraction and where the
responsibility boundaries lay. I asked on openssl-dev about this issue,
referencing this bug, and they're of the opinion that Exim needs someone who
keeps up-to-date on algorithm security weaknesses if Exim is to use OpenSSL.

See this thread (multiple web archives, pick your poison):

http://markmail.org/search/?q=list:org.openssl.openssl-dev#query:list%3Aorg.openssl.openssl-dev+page:2+mid:7yosrfphbuk2giik+state:results

http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/e4b15ce3abd4f1e8#

http://marc.info/?l=openssl-dev&m=124503853216248&w=2

http://www.mail-archive.com/openssl-dev[at]openssl.org/msg26021.html

(Six mails in thread at time of my updating this bug)

So, bite the bullet and enable EVP_sha256 by default, manually, or add my
current patch, or both, or neither or ...

With the current round of advances in breaks on SHA1, I suspect we really need
to get SHA-256 support into Exim 4.70, one way or another, before there's a
pre-image attack. But I'm not a cryptanalyst.

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com