X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/42bfef1e908fe60f8a7a86e66616b51702f1c0fb..5ce86c4f552071ad7408c40324d5211ab2a2da82:/doc/doc-txt/GnuTLS-FAQ.txt diff --git a/doc/doc-txt/GnuTLS-FAQ.txt b/doc/doc-txt/GnuTLS-FAQ.txt index 897087582..ab4e5aaa6 100644 --- a/doc/doc-txt/GnuTLS-FAQ.txt +++ b/doc/doc-txt/GnuTLS-FAQ.txt @@ -6,7 +6,7 @@ Using Exim 4.80+ with GnuTLS (3) I'm seeing: "(gnutls_handshake): A TLS packet with unexpected length was received" Why? -(4) What's the deal with MD5? +(4) What's the deal with MD5? (And SHA-1?) (5) What happened to gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols? (6) What's the deal with tls_dh_max_bits? What's DH? @@ -89,8 +89,8 @@ option fixes the problem, this was the cause. See Q6. -(4): What's the deal with MD5? ------------------------------- +(4): What's the deal with MD5? (And SHA-1?) +-------------------------------------------- MD5 is a hash algorithm. Hash algorithms are used to reduce a lot of data down to a fairly short value, which is supposed to be extremely hard to @@ -119,6 +119,10 @@ the ongoing costs of proving a trust relationship, such as providing revocation protocols. This is just another of those ongoing costs you have already paid for. +The same has happened to SHA-1: there are real-world collision attacks against +SHA-1, so SHA-1 is mostly defunct in certificates. GnuTLS no longer supports +its use in TLS certificates. + (5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols?