On 04/17/2011 09:45 AM, Simon Josefsson wrote: >>> thank you for taking the time to test the packages in experimental. I >>> can reproduce the bug. >>> >>> For clarification it is not caused by libgcrypt11 from experimental, >>> libgnutls26 2.12.2-1 with stable libgcrypt11 also fails. Attached >>> verbose log is not a lot more enlightening. >> >> d3nwyuy0nl342s.cloudfront.net seems to support only one ciphersuite. >> That is ARCFOUR-128 with HMAC-MD5. I disabled HMAC-MD5 from the default >> set in 2.12.0 because it is not really trusted as an HMAC any more. >> If however this is widespread issue I'll reinstate HMAC-MD5 and >> remove it when a real attack is known. > I thought there weren't any attacks on HMAC-MD5, have I missed anything?
That's what I say above. No real attacks exist although its security is questioned (ECRYPT II report on algorithms and key sizes). The text mentions: "The recent advances in the cryptanalysis of MD5 (see Section 10.3), and specifically HMAC-MD5 (e.g. [58, 143, 213, 83, 256]), suggest that implementers should move away from HMAC-MD5 as soon as possible." regards, Nikos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
