On 6/9/24 11:27, Dmitry Belyavskiy wrote:
On Sun, Jun 9, 2024 at 11:22 AM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx <mailto:zbyszek@xxxxxxxxx>> wrote: In https://fedoraproject.org/wiki/SHA1SignaturesGuidance <https://fedoraproject.org/wiki/SHA1SignaturesGuidance>: > At the moment, we don't provide a public API to enable SHA-1 signature > support in OpenSSL programmatically. We ask you to respect the system > administrator's configuration choice on this. We're planning to work > with OpenSSL upstream to introduce a more suitable API in the future Any news on this? Being able to make this policy configurable at application level would make things _much_ easier. We don't plan to provide such an API, sorry. SHA1 is insecure. It should be eliminated from the crypto contexts _before_ a second-preimage attack starts to cost $0.02
Is it the library's job to decide policies about security levels? Each time algorithms are "distrusted" people get problems mostly with things where security is not really critical at all, like connecting to their local hypervisor, their arduino boards, their home thermostat, etc. etc. etc. Let's hope at least the policies will be tweakable enough, I've seen cases where people were proposing removal of algorithms from the code, which is crazy (why should a library refuse to do an RC4 calculation for me?). Regards. -- Roberto Ragusa mail at robertoragusa.it -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
