[erlang-questions] OpenSSL 1.0 removed md2 and this affects Erlang/OTP builds.

Attila Rajmund Nohl <>
Wed Oct 5 14:24:14 CEST 2011


2011/10/5, Jesper Louis Andersen <>:
[...]
> On the same basis: When do we get to ditch MD5 and SHA1?

They are used by SNMPv3 so I don't think it's that easy to ditch them...

> Both message
> digests are probably going to become problematic. MD5 is already
> broken for its 2nd preimage resistance to the point where nobody can
> use it for that anymore.

As far as I know, it is possible to generate two sets of binary data
that has the same MD5 digest. It is also possible to generate two sets
of formatted binary data in a format (.doc file, etc.) that has the
same MD5 digest - the key is that these formats can include binary
junk that is actually not used. Again, as far as I know, the SNMPv3
packet format is not quite like this, so I'm not  sure we can say that
MD5 authentication is broken for SNMPv3. I definitely would like to
keep MD5 in the future.

Anyway, I think there are millions of devices out there with SNMPv3
support that won't be upgraded before their hardware finally breaks
down or are sold to scrap.



More information about the erlang-questions mailing list