MD5 considered harmful today, SHA-1 considered harmful tomorrow
Victor Duchovni
Victor.Duchovni at morganstanley.com
Mon Jan 19 13:14:40 EST 2009
On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
> The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
> mandatory), so you can send a SHA-256 certificate to clients that
> indicate they support TLS 1.2 or later. You'd still need some other
> certificate for interoperability with clients that don't support
> SHA-256, of course, and you'd be sending that one to clients that do
> support SHA-256 but not TLS 1.2. (So you'd fall back to SHA-1, which
> is not really a problem when CAs make sure to use the hash algorithm
> in a way that doesn't rely on hash collisions being hard to find,
> which probably is a good idea for *any* hash algorithm.)
It would be helpful if as a first step, SSL_library_init() (a.k.a.
OpenSSL_add_ssl_algorithms()) enabled the SHA-2 family of digests,
I would make this change in the 0.9.9 development snapshots.
[ Off topic: I find OpenSSL release-engineering a rather puzzling
process. The "patch" releases are in fact feature releases, and there
are no real patch releases even for critical security issues. I chose
to backport the 0.9.8j security fixes to 0.9.8i and sit out all the
new FIPS code, ... This should not be necessary. I really hope to see
real OpenSSL patch releases some day with development of new features
*strictly* in the development snapshots. Ideally this will start with
0.9.9a, with no new features, just bugfixes, in [b-z]. ]
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list