From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: SHA1/MD5 in IPFire Date: Tue, 03 Mar 2015 17:47:27 +0100 Message-ID: <1425401247.2721.130.camel@ipfire.org> In-Reply-To: <54F42AF7.9070505@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4067868562167575348==" List-Id: --===============4067868562167575348== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi, I replied on the bug instead. -Michael On Mon, 2015-03-02 at 10:18 +0100, IT Superhack wrote: > Hello Development-List, > > hi, it's me again. > > In the past, some ciphers and algorithms were broken, such as MD5, RC4, > DES and recently SHA1. > > Because those are either weak or insecure, most experts recommend to > avoid them. But nothing big happend, near all websites still support RC4 > or MD5, some certificates are still signed with SHA1 and so on. > > Even in IPFire those are sill used in several categories: > 1. On downloads.ipfire.org, the checksums use SHA1. > 2. Until 2.17, the HTTPS certificate IPFire generated was signed with SHA1. > > During the last ten minutes, I tried to set up an IPSec connection and > noticed that some of the used cryptographic technologies are > weak/insecure, such as: > 1. The root certificate is RSA-2048 (RSA-4096 is better) and is signed > with SHA1. > 2. Road-Warrior-Certificates are RSA-1024 (insecure) and signed with > MD5, which is also insecure. > 3. SHA1 and MD5 are allowed for authenticating (see: advanced settings). > > Since those endanger secure communication, it would be nice if MD5 & co. > could be avoided in IPFire. > > Many thanks in advance, > Timmothy Wilson > > P.S.: The Bug ID is #10763 > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development --===============4067868562167575348== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlU5ZVdpQUFvSkVJQjU4UDl2a0FrSDNaa1AvM2ZDUVJLYkxGZkxFeFZrcHQyZ2xJSW8K R0UvcExyQURaQWdyZzhjeVQ1akVxeXpVWUtiN3FpSWlFOVNJT2NIZldOOTFUcXJ1OTE4SW1EbWg5 dmpwZzFjeQp2YStCeFNYallqT1dMaGR0VWp3NVM1bnI0NXdRTVlmWDE2NGJHYWJoeVlrY0hZcXN3 dnp4T25Ra25qYUtBRG9GClo1ZkhubFdiRXR4cjg1Nkl6QzFLZTNOYnNkZm12cElYRmQ1czJUdFVq MFdkS0s5OFRJRXVQS21QR0ROejZlNjYKOUJ5cDIwUit5S25BOHFGV05HWlVIZHhqem1SSEZoZ2E2 Mmx2a1Jvc0t3YTh4STRlNTFpdUl3WWhjY0Y5eXROWApXK29RdmVLMGUybW9OaEdSbnJzRVlQRFJ0 ZlcxaHZOSHZiK0Jlditob25Uci9DNmU5N1NZVEc2bzJ1elI3TEpxCmpSd2VwRXpnbGZNR3JSY1VX QnB0NGU2M3FkYzVtM3JkQVN3cVNYNlBtcC9abDMwclhjRjQvM0NybzdsRWlidFMKZWVSdVh4anRa VlJKTUkwU2RzUFJneUx0cklwRnpVS2VmQVdsTng4L0xDaGtta1hUZmRvNkJTVmZaaEpkNUd5UApo NWZYczhtazVNbHpVQU1qSGtKaEg4d3VWbFdkVVhrQ21yMXIvZEp6UEp1YStXUXExazkwdVN2RGJv SmlRRlFuClFWV0IwdHp1QXpHTXgyNkJsVFJUMlgzc1l5c1VEQ2dkbjM0MHlIQ05CWk0vbHRYRnFk VGJxdVFCN2ZDYnBUNGEKSXg0bVhzZ3ZadXV3aDZrcE1ZY2UvVkZLcmJqYWdjR0tIT2FGSTZ4YzJm Q2dFRHd1eDRnWUpqWko0bWR6NC9vegowK00xeDZIdDdDM29kak00MlNyeAo9MlZlMwotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============4067868562167575348==--