Dear Roberto
On Sun, Jun 9, 2024 at 1:16 PM Roberto Ragusa <mail@xxxxxxxxxxxxxxxx> wrote:
On 6/9/24 11:27, Dmitry Belyavskiy wrote:
>
> On Sun, Jun 9, 2024 at 11:22 AM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx <mailto:zbyszek@xxxxxxxxx>> wrote:
>
> In https://fedoraproject.org/wiki/SHA1SignaturesGuidance <https://fedoraproject.org/wiki/SHA1SignaturesGuidance>:
> > At the moment, we don't provide a public API to enable SHA-1 signature
> > support in OpenSSL programmatically. We ask you to respect the system
> > administrator's configuration choice on this. We're planning to work
> > with OpenSSL upstream to introduce a more suitable API in the future
>
> Any news on this? Being able to make this policy configurable at application
> level would make things _much_ easier.
>
>
> We don't plan to provide such an API, sorry. SHA1 is insecure. It should be eliminated from the crypto contexts _before_ a second-preimage attack starts to cost $0.02
Is it the library's job to decide policies about security levels?
Each time algorithms are "distrusted" people get problems mostly with things
where security is not really critical at all, like connecting to their local
hypervisor, their arduino boards, their home thermostat, etc. etc. etc.
Let's hope at least the policies will be tweakable enough, I've seen cases
where people were proposing removal of algorithms from the code, which is crazy
(why should a library refuse to do an RC4 calculation for me?).
You still are able to use SHA1 and RC4 using openssl.
The distribution should provide a necessary level of security defaults.Those who understand why they don't need enough security, can relax any limitations.
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue