[Cross-posting to mpop-users and msmtp-users as it applies to both] Hi! On Sat, 9 Apr 2016 17:33:46 +0200, ilf wrote: > Currently, mpop(1) sais for tls_fingerprint: > > > The fingerprint can be either an SHA1 (recommended) or an MD5 > > fingerprint in the format 01:23:45:67:.... > > MD5 has been broken since 2008: [...] > > SHA-1 is also showing its age: [...] > > [...] > > I propose to: > > - implement support for SHA-2 with its six hash functions > - implement support for SHA-3 > - drop support for MD5 Thanks for pointing out this problem! I agree that MD5 needs to go and SHA1 should be avoided. However, let's not go overboard with alternatives. A quick check suggests that the one function in current widespread use to report TLS certificate fingerprints is SHA256 (Firefox, Chrome, various TLS-related websites), with SHA1 still being usually reported too. I pushed a patch to both mpop and msmtp that changes the following: - In --serverinfo, report SHA256 and SHA1 fingerprints but mark the latter as deprecated. Don't report MD5 anymore. - For --tls-fingerprint and tls_fingerprint, accept SHA256 in addition to SHA1 and MD5. - In the documentation, clearly state that SHA256 should be used. That keeps MD5 supported although it is discouraged. I expect that when certificates are renewed or replaced and thus fingerprints in the mpop/msmtp configuration need updating, users will most likely use --serverinfo to get the new fingerprint and thus update to SHA256 automatically. I see no need to break their configurations now. Any comments? Regards, Martin
Attachment:
pgpL0dpmo1Usx.pgp
Description: OpenPGP digital signature