Date: Wed, 07 Jul 2010 06:00:43 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Matthias Andree <matthias.andree@gmx.de> Cc: Kostik Belousov <kostikbel@gmail.com>, freebsd-current@freebsd.org, Andrew Reilly <areilly@bigpond.net.au> Subject: Re: Regression in GSSAPI/libxh509 linking? [PR bin/147175] Message-ID: <4C3409FB.60906@infracaninophile.co.uk> In-Reply-To: <op.vff0lpmo1e62zd@merlin.emma.line.org> References: <op.vfexgepa1e62zd@merlin.emma.line.org> <20100706085435.GC13238@deviant.kiev.zoral.com.ua> <4C3317C6.3020009@FreeBSD.org> <20100706123325.GF13238@deviant.kiev.zoral.com.ua> <457406E5-0E8C-4DB0-97B3-C8CAA7DD3AD0@bigpond.net.au> <20100706134636.GG13238@deviant.kiev.zoral.com.ua> <9BB48431-AF0F-4DEA-8F9F-35830E147E68@bigpond.net.au> <4C337D44.7070107@infracaninophile.co.uk> <op.vff0lpmo1e62zd@merlin.emma.line.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/07/2010 23:26:03, Matthias Andree wrote:
> Am 06.07.2010, 21:00 Uhr, schrieb Matthew Seaman:
>
>> On 06/07/2010 15:14:28, Andrew Reilly wrote:
>>> So: how should I "fix" this, properly, on my -current system? Is it
>>> as simple as installing heimdal from ports? I can't remove openssl-1.0:
>>> that has 191 ports listed in its REQUIRED_BY file.
>>
>> Rebuild the port of openssl-1.0.0 after modifying the OPTIONS to include
>> MD2=on ?
>
> Not good given that MD2 is broken. Very broken, not just by a factor of
> 2^5 or something.
>
> Where upon rests the earlier assertion (not by Matthew) that Kerberos V
> needed MD2 checksums?
> I can't seem to find that in the KRB5 protocol and checksum RFCs. If
> it's not mandatory we may want to nuke MD2 from Kerberos to remedy a
> weakness... Chapter and Verse welcome.
Yeah. Even so, lots of software still expects it to be present and
won't link without it. I hope no one is actually using it, or running
with a cipher configuration that would permit it to be used.
Cleaning all reliance on MD2 out of the ports and base would make a very
good project for a bunch of people, and pushing those changes upstream
would certainly help make the internet a better place. Probably should
start with an experimental run on a tinderbox somewhere trying to build
all ports that are OpenSSL consumers against security/openssl with MD2
turned off.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkw0CfsACgkQ8Mjk52CukIzTAQCeOmkWeudx4UCnxI5wFBNrcAuY
x80AnivuyK8mPfOPHPUe7Y95uMMpUSVo
=PHpX
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C3409FB.60906>