Re: Updating SSL keys on fedoraproject.org 2011-03-10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/10/2011 09:17 AM, Stephen John Smoogen wrote:
> On Thu, Mar 10, 2011 at 01:07, Petr Pisar <ppisar@xxxxxxxxxx> wrote:
>> On 2011-03-10, Stephen Smoogen <smooge@xxxxxxxxx> wrote:
>>> We have already updated fedorahosted.org and will now be updating the
>>> cert for the main site: fedoraproject.org.
>>>
>>> The old certificate came from Equifax, was a 1024 bit key and had the
>>> fingerprint:
>> [...]
>>> The new certificate is issued by GeoTrust, Inc and is a 4096 bit key
>>> with the fingerprint:
>>>
>> Key length is not everything. Didn't you forget to upgrade hash
>> algorithm? Sticking on SHA-1 that's been abandoned by ETSI and other
>> authorities does not look most safely.
> >From my research to use the SHA-2 in TLS requires the user and server
> to be both able to talk TLS-1.2. From what I found at wikipedia
> (http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does
> not support 1.2 (only Opera and IE8 do).
There are more than one usage for SHA-1/SHA-2. TLS uses SHA-1 as an
HMAC. SHA-1 is still strong for such use (though prudence would
encourage one to move off of SHA-1 even for this operation).

SHA-1 is also used in the certificate. That, in theory, doesn't require
TLS 1.2, though only TLS 1.2 includes protocol to tell servers what
hashing algorithms the clients support, so in a strict sense only TLS
tells you whether or not it's safe to use a cert with something other
than SHA-1 or MD5. Most modern browers will support SHA-2 algorithms in
the certificate (even when using SSL3, to TLS 1.x). The notable
exceptions is verisons of Windows older than Windows XP service patch 3,
and several older phones.

Many CA's are apparently starting to move SHA-256 roots this year,
mostly driven by NIST standards.

bob


<<attachment: smime.p7s>>

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux