X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/8d68e115fc6f226cd2cdcea02adb358df5afb361..8a40db1c6153e108913c6308a95eb71725bddde3:/doc/doc-txt/GnuTLS-FAQ.txt?ds=sidebyside diff --git a/doc/doc-txt/GnuTLS-FAQ.txt b/doc/doc-txt/GnuTLS-FAQ.txt index 766e27927..ab4e5aaa6 100644 --- a/doc/doc-txt/GnuTLS-FAQ.txt +++ b/doc/doc-txt/GnuTLS-FAQ.txt @@ -6,7 +6,7 @@ Using Exim 4.80+ with GnuTLS (3) I'm seeing: "(gnutls_handshake): A TLS packet with unexpected length was received" Why? -(4) What's the deal with MD5? +(4) What's the deal with MD5? (And SHA-1?) (5) What happened to gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols? (6) What's the deal with tls_dh_max_bits? What's DH? @@ -89,8 +89,8 @@ option fixes the problem, this was the cause. See Q6. -(4): What's the deal with MD5? ------------------------------- +(4): What's the deal with MD5? (And SHA-1?) +-------------------------------------------- MD5 is a hash algorithm. Hash algorithms are used to reduce a lot of data down to a fairly short value, which is supposed to be extremely hard to @@ -119,6 +119,10 @@ the ongoing costs of proving a trust relationship, such as providing revocation protocols. This is just another of those ongoing costs you have already paid for. +The same has happened to SHA-1: there are real-world collision attacks against +SHA-1, so SHA-1 is mostly defunct in certificates. GnuTLS no longer supports +its use in TLS certificates. + (5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols? @@ -300,7 +304,7 @@ NORMAL.) See Q8. The current documentation, for the most recent release of GnuTLS, is available online at: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html Beware that if you are not using the most recent GnuTLS release then this documentation will be wrong for you! You should find the "info" documentation