> On Jul 10, 2017, at 1:12 PM, Niklas Keller <me@xxxxxxxxxxx> wrote: > > It's very well worth the effort, otherwise there's a security issue, because certificates can be forged. Collision attacks don't directly lead to certificate forgery. There are no known 2nd-preimage attacks on SHA-1. The previous MD5 attack required CAs to issue certificates with predictable content (serial numbers and the like) so that the requested certificate collides with a rogue certificate with basicConstraints CA:true. Unpredictable serial numbers defeat that attack. If trusted CAs are no longer issuing SHA-1 certificates, then soon you won't need to detect SHA-1 certificates in trusted chains, as there won't be any such certificates issued by trusted CAs. Anyway, if you must, you can inspect the chain as it is being verified via the verify callback, keep track of the maximum depth (the final set of callbacks when all goes well start with the topmost CA certificate and goes down towards the leaf) and reject SHA-1 at depths below any depth seen before. That's a bunch of code, to address an issue that is solving itself naturally through attrition. -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
