funsec mailing list archives

Re: Fake CA MD5 questions

From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 31 Dec 2008 16:29:03 +0100

* Jason Ross:

To partially answer the first question anyway, a very quick and
likely imprecise check of my Debian default installation of openssl
contains the following 24 CA certs as using "md5WithRSAEncryption"
for the Signature Algorithm:


These are self-signatures and typically not checked.  When these
certificates are used as issuers, they can use SHA-1, and are not
restricted to MD5.  (Same comment applies to the certificates with MD2
self-signatures.)

Only the CA knows if they still issue certificates with MD5
signatures.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

reliable IOS exploitation Gadi Evron (Dec 29)
- Re: reliable IOS exploitation Charles Miller (Dec 29)
  - Re: reliable IOS exploitation Gadi Evron (Dec 29)
  - 25c3 (was: Re: reliable IOS exploitation) Jacob Appelbaum (Dec 30)
    - Re: 25c3 (was: Re: reliable IOS exploitation) Colin K Rognlie (Dec 30)
    - Fake CA MD5 questions Rob, grandpa of Ryan, Trevor, Devon & Hannah (Dec 30)
    - Re: Fake CA MD5 questions Valdis . Kletnieks (Dec 30)
    - Re: Fake CA MD5 questions Valdis . Kletnieks (Dec 30)
    - Re: Fake CA MD5 questions Jason Ross (Dec 30)
    - Re: Fake CA MD5 questions Florian Weimer (Dec 31)