Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use rsa-sha256 for DKIM signatures #357

Merged
merged 1 commit into from
Jul 2, 2018

Conversation

fmeum
Copy link

@fmeum fmeum commented Jun 26, 2018

Sympa currently uses rsa-sha1 for DKIM signature attached to outgoing mails. It has been shown that SHA-1 can no longer be considered resistant to collisions in practice, which means that it is inadequate to be used with DKIM. Since Mail::DKIM supports rsa-sha256, this is easy to fix.

Sympa currently uses rsa-sha1 for DKIM signature attached to outgoing mails. It [has been shown](https://shattered.io/) that SHA-1 can no longer be considered resistant to collisions in practice, which means that it is inadequate to be used with DKIM. Since Mail::DKIM supports rsa-sha256, this is easy to fix.
@racke
Copy link
Contributor

racke commented Jun 26, 2018

Makes sense to me 👍 Do you know since which version Mail::DKIM supports rsa-sha256?

@fmeum
Copy link
Author

fmeum commented Jun 26, 2018

Since version 0.17 from 2006, so this should not pose any restrictions.

@racke
Copy link
Contributor

racke commented Jun 26, 2018

Indeed 😇 , thanks for the report!

@xavierba
Copy link
Contributor

While this is not a security issue in sympa code by itself, wouldn't that still make sense this PR be tagged "security" too ?

@fmeum
Copy link
Author

fmeum commented Jun 28, 2018 via email

@ikedas
Copy link
Member

ikedas commented Jun 28, 2018

@xavierba ++

@ikedas ikedas merged commit 8a7ec93 into sympa-community:sympa-6.2 Jul 2, 2018
@ikedas ikedas added this to the 6.2.34 milestone Jul 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants