[gnutls-devel] moving out from SHA1

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Mon Jul 17 12:51:21 CEST 2017


On Fri, Feb 24, 2017 at 10:23 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> Hi,
>  Given the first found collision for SHA1, I think it is time to plan
> removing it from the trusted set. I do not believe we can do that
> today in existing releases, as there is simply too much stuff relying
> SHA1. Even for the web PKI which the transition from SHA1 was already
> in place, major sites like amazon.com today provide an OCSP response
> signed with RSA-SHA1.
>
> So what I propose, is remove sha1 from the trusted set in gnutls 3.6.0
> (to be released the second half of this year). That release will
> forbid SHA1 from any operation unless special flags to indicate that
> broken algorithms are allowed are set. My intention is not to
> introduce a new flag to allow SHA1, but utilize the catch-all allow
> broken algorithms flag.
>
> In 3.5.x we forbid SHA1 for certificate verification in TLS, for the
> NORMAL and above levels, in one of the next few releases (3.5.10 or
> 3.5.11), but still allow it for TLS handshake signatures. That is, we
> take advantage of the verifcation PROFILEs associated with a priority
> string keyword, and even though SHA1 is in general acceptable, it will
> be refused for certificate verification. At the same time it will
> allow applications which rely on SHA1 to continue function, as well as
> connection to old servers which use TLS signatures with SHA1 (maybe
> even treat OCSP differently to avoid breaking examples with amazon as
> above).

I think, that the gradual phasing out, firstly for certificates and
then for everything else makes sense also for the 3.6.0 release. SHA1
is still actively used for OCSP, DNS and possibly many other
protocols. As such I've opened the issue:
https://gitlab.com/gnutls/gnutls/issues/229
and I believe we should move more conservatively in this deprecation.
Make it happen on 3.6.0 releases only for certificates, and postpone
full phasing out few years from now.

regards,
Nikos



More information about the Gnutls-devel mailing list