from: http://www.mitls.org/pages/attacks/SLOTH "Affected Software and Responsible Disclosure Our attack on MD5-based signatures affects all TLS clients and servers that support RSA-MD5 and ECDSA-MD5 (DSA is typically enabled only with SHA1). This protocol-level flaw in TLS 1.2 is covered by CVE-2015-7575. Here is the list of software known to be affected. This list will evolve as we gather more information. OpenSSL clients and servers up to version 1.0.1e advertise, send, and accept RSA-MD5 signatures. Consequently applications that use this version are vulnerable, including those that rely on the default system OpenSSL on Red Hat Enterprise Linux 6 and 7, Debian Wheezy, Android 4.4.2 and 5.0.0, and Akamai GHost servers. (Fixed in OpenSSL 1.0.1f. Fixed on all Akamai servers on 17th Dec 2015. Fixed in RHEL 6 and 7 on 6th January 2016 via updates to the OpenSSL, NSS, and GnuTLS packages.) NSS clients (but not servers) up to version 3.20 accept RSA-MD5 server signatures even though clients do not offer RSA-MD5 in the ClientHello. This affects all versions of Firefox up to 42. (Fixed in NSS version 3.21, Firefox 43.) Oracle Java clients and servers up to version 8u66 (and 7u79) advertise, send, and accept RSA-MD5 client and server signatures. (Fixed in main codeline on 23rd December 2015, scheduled for a future CPU) GnuTLS clients and servers up to version 3.3.14 accept RSA-MD5 signatures even if the client or server disables them (using the priority string, for example). (Fixed in 3.3.15 - GNUTLS-SA-2015-2) BouncyCastle Java clients up to version 1.53 (C# clients up to 1.8.0) accept RSA-MD5 server signatures even if the client did not offer RSA-MD5 int he ClientHello. BouncyCastle servers up to the same versions may offer and accept RSA-MD5 signatures depending upon application configuration. (Fixed in Java version 1.54 and C# version 1.8.1) PolarSSL/mbedTLS up to 2.2.0 offers and accepts RSA-MD5 and ECDSA-MD5 signatures for server (but not client) authentication in its default configuration. (Fixed in mbedTLS 2.2.1, 2.1.4, 1.3.16.) Other TLS libraries are being tested. If you know of any TLS library that supports RSA-MD5, please let us know at the contacts below. Internet scans by Hubert Kario show that 32% of TLS servers support RSA-MD5 signatures as of November 2015."
