You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FIPS-140 (among other "standards") does not allow the use of the old MD5 hash for cryptographic purposes. While GNU TLS is adopting an all-or-nothing strategy (never use MD5 for any purpose when in FIPS-140 mode), that strategy ignores non-crypto uses of MD5 (e.g. UUID generation) where its weaknesses are not an issue.
Since CUPS already exposes a number of security-related configuration options in client.conf, we should add another option that controls whether MD5 is allowed with Digest authentication. CUPS already prefers more secure hashes when the printer supports them so the only effective change here would be to allow configurations to break existing printers that require Digest authentication but do not implement newer hashes.
Proposed option:
DigestOptions {None|DenyMD5}
The text was updated successfully, but these errors were encountered:
FIPS-140 (among other "standards") does not allow the use of the old MD5 hash for cryptographic purposes. While GNU TLS is adopting an all-or-nothing strategy (never use MD5 for any purpose when in FIPS-140 mode), that strategy ignores non-crypto uses of MD5 (e.g. UUID generation) where its weaknesses are not an issue.
Since CUPS already exposes a number of security-related configuration options in client.conf, we should add another option that controls whether MD5 is allowed with Digest authentication. CUPS already prefers more secure hashes when the printer supports them so the only effective change here would be to allow configurations to break existing printers that require Digest authentication but do not implement newer hashes.
Proposed option:
The text was updated successfully, but these errors were encountered: