On 01/27/2017 10:59 AM, Leonard den Ottolander wrote: > https://en.wikipedia.org/wiki/MD5 seems to disagree: No, it doesn't. That page links to RFC 6151, which notes: "It is not urgent to stop using MD5 in other ways, such as HMAC-MD5" There's nothing wrong with disabling hmac-md5 in your own configurations. I do it. But having it enabled is not considered by experts to be a flaw, and it should not be alarming.