Re: F41 Change Proposal: Make OpenSSL distrust SHA-1 signatures by default (system-wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Roberto

On Sun, Jun 9, 2024 at 1:16 PM Roberto Ragusa <mail@xxxxxxxxxxxxxxxx> wrote:
On 6/9/24 11:27, Dmitry Belyavskiy wrote:
>
> On Sun, Jun 9, 2024 at 11:22 AM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx <mailto:zbyszek@xxxxxxxxx>> wrote:
>
>     In https://fedoraproject.org/wiki/SHA1SignaturesGuidance <https://fedoraproject.org/wiki/SHA1SignaturesGuidance>:
>      > At the moment, we don't provide a public API to enable SHA-1 signature
>      > support in OpenSSL programmatically. We ask you to respect the system
>      > administrator's configuration choice on this. We're planning to work
>      > with OpenSSL upstream to introduce a more suitable API in the future
>
>     Any news on this? Being able to make this policy configurable at application
>     level would make things _much_ easier.
>
>
> We don't plan to provide such an API, sorry. SHA1 is insecure. It should be eliminated from the crypto contexts _before_ a second-preimage attack starts to cost $0.02


Is it the library's job to decide policies about security levels?
Each time algorithms are "distrusted" people get problems mostly with things
where security is not really critical at all, like connecting to their local
hypervisor, their arduino boards, their home thermostat, etc. etc. etc.
Let's hope at least the policies will be tweakable enough, I've seen cases
where people were proposing removal of algorithms from the code, which is crazy
(why should a library refuse to do an RC4 calculation for me?).

You still are able to use SHA1 and RC4 using openssl.

The distribution should provide a necessary level of security defaults.Those who understand why they don't need enough security, can relax any limitations.

--
Dmitry Belyavskiy
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux