On 09/21/2018 12:27 PM, William A Rowe Jr wrote:
> You may want to use this opportunity to drop md5 and sha1 hashes, you
> will be yelled at by ops when you attempt to publish new instances of
> these obsoleted hashes.
> Even on very stale OS's without sha256 in their tool chain, they likely
> have openssl 0.9.8 or later with sha256 support.
I can tell you that I have seen unpatched barely maintained Solaris 10
servers in the wild. Chugging along. Sadly. Those things have :
# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: ... long list here )
Sure enough .. no sha512 there nor even sha256. Or much in fact.
Many flavors of literally unsupported configurations still exist with no sha256.
If these are used as outward facing servers, that's about as good for the
security ecosystem as unpatched Windows 98/ME instances that are still
But even in these cases, it is a simple matter to download to a system that
can validate the asc pgp sig, and transfer the file from that verified source.
I see no issue here.