On Mon, Dec 12, 2016 at 04:57:26PM +0100, Andreas Beckmann wrote: > On 2016-12-12 16:51, Joerg Dorchain wrote: > > Even in that case, IMHO it would be an idea to mark this bug as > > "won't fix", or even to leave a line in the NEWS.debian, just in > > case this version ever hits stable, as a hint for other CACert users > > (or someone with md5-signatures) out there. > > A NEWS entry sounds sensible. Could you provide some wording? Let's try: MD5-Signature obsoleted for STARTTLS: With recent openssl, md5-based certificate signatures are obsoleted. This explicitly concerns users of CACert certificates as of December 2016. Symptoms are log lines containing "ca md too weak" when receiving mails. Workaround is adding @SECLEVEL=0 to to used cipher string. Solution is to get a certificate without md5-signatures in the chain. cfr. Bug#847743 Bye, Joerg
Attachment:
signature.asc
Description: PGP signature