[cap-talk] SANS Institute's "25 Most Dangerous Programming Errors"
Jack Lloyd
lloyd at randombit.net
Mon Jan 12 19:50:39 EST 2009
On Mon, Jan 12, 2009 at 04:31:52PM -0800, Bill Frantz wrote:
> Diffie-Hellman is now considered a bit small, but is still OK. DSA depends
> on SHA1, but I don't know about possible replacements.
FIPS 186-3 allows the use of DSA with larger groups and with SHA-2.
> Note that OpenSSL does not yet implement SHA2. Since OpenSSL is widely used
> by open source software, it does not allow implementation of the
> recommended fix for the weakening of SHA1 which is to use SHA2.
OpenSSL does contain implementations of the SHA-2 hashes, it just does
not support them in the SSL/TLS protocol implementation (or in
certificates, IIRC).
-Jack
More information about the cap-talk
mailing list