spec: TLS certificates: avoid MD5

Make it clearer in the spec, where talking about certificates, that MD5 in certs is a really Quite Bad idea.
author: Phil Pennock <pdp@exim.org> 2013-11-10 05:16:27 -0500
committer: Phil Pennock <pdp@exim.org> 2013-11-10 05:16:27 -0500
commit: 167c587a5691aaf8fa04fbfad083fcdbe2277de6 (patch)
tree: 435a131d9706ef24ed6c8f012820dc61dfeb49d4 /doc/doc-docbook
parent: 89b68021dc688d91f57e0e20432477a57bfcf5ec (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 614259a5d..4b9f53ed1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -26057,6 +26057,12 @@ validation to succeed, of course, but if it's not preinstalled, sending the
 root certificate along with the rest makes it available for the user to
 install if the receiving end is a client MUA that can interact with a user.
 
+Note that certificates using MD5 are unlikely to work on today's Internet;
+even if your libraries allow loading them for use in Exim when acting as a
+server, increasingly clients will not accept such certificates.  The error
+diagnostics in such a case can be frustratingly vague.
+
+
 
 .section "Self-signed certificates" "SECID187"
 .cindex "certificate" "self-signed"
author	Phil Pennock <pdp@exim.org>	2013-11-10 05:16:27 -0500
committer	Phil Pennock <pdp@exim.org>	2013-11-10 05:16:27 -0500
commit	167c587a5691aaf8fa04fbfad083fcdbe2277de6 (patch)
tree	435a131d9706ef24ed6c8f012820dc61dfeb49d4 /doc/doc-docbook
parent	89b68021dc688d91f57e0e20432477a57bfcf5ec (diff)