On 2011-03-10, Robert Relyea <rrelyea@xxxxxxxxxx> wrote: > SHA-1 is also used in the certificate. That, in theory, doesn't require > TLS 1.2, though only TLS 1.2 includes protocol to tell servers what > hashing algorithms the clients support, so in a strict sense only TLS > tells you whether or not it's safe to use a cert with something other > than SHA-1 or MD5. Most modern browers will support SHA-2 algorithms in > the certificate (even when using SSL3, to TLS 1.x). The notable > exceptions is verisons of Windows older than Windows XP service patch 3, > and several older phones. > That's the hash usage I refered. I was amazed the certificate signature algorithm is RSAwithSHA1. As it was said this does not dependend on TLS version. > Many CA's are apparently starting to move SHA-256 roots this year, > mostly driven by NIST standards. > This year? In Europe we are over. All quallified CA's are forbiden to issue SHA-1 certificates since begin of 2010. -- Petr -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
