Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-47210

-cipher DEFAULT:@SECLEVEL=0 -sigalgs SHA1+RSA does not enable support for SHA-1 signatures

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • 1
    • rhel-security-crypto
    • ssg_security
    • 0.2
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC1) In DEFAULT policy without SECLEVEL=0, SHA-1 should fail

      AC2) In DEFAULT policy with SECLEVEL=0, SHA-1 should fail

      AC3) In LEGACY policy without SECLEVEL=0, SHA-1 should fail

      AC4) In LEGACY policy with SECLEVEL=0, SHA-1 should be accepted

      Show
      AC1) In DEFAULT policy without SECLEVEL=0, SHA-1 should fail AC2) In DEFAULT policy with SECLEVEL=0, SHA-1 should fail AC3) In LEGACY policy without SECLEVEL=0, SHA-1 should fail AC4) In LEGACY policy with SECLEVEL=0, SHA-1 should be accepted
    • Pass
    • None
    • Bug Fix
    • Hide
      .Switching to LEGACY policy does not enable support for SHA-1 in TLS connections
       
      You can control support for SHA-1 signatures either by the `@SECLEVEL` setting specified in the default cipher string or the `rh-allow-sha1-signatures` property. Support for SHA-1 in the TLS context is enabled by setting `@SECLEVEL=0`. However, this setting also allows other insecure algorithms.

      You can override the `SECLEVEL` setting by specifying the `rh-allow-sha1-signatures` property in the `evp_properties` section. By default and when unspecified in the configuration file, `evp_properties` is set to `no`. The system-wide cryptographic policies set the property to `yes` after you switch to the `LEGACY` policy.

      Therefore, to enable support for SHA-1 in contexts outside TLS, you can switch the system to the `LEGACY` cryptographic policy. To enable SHA-1 in TLS, you must switch the system to `LEGACY` and use a cipher string that sets `@SECLEVEL=0` either by defining a custom cryptographic policy or setting this for your application in OpenSSL.
      Show
      .Switching to LEGACY policy does not enable support for SHA-1 in TLS connections   You can control support for SHA-1 signatures either by the `@SECLEVEL` setting specified in the default cipher string or the `rh-allow-sha1-signatures` property. Support for SHA-1 in the TLS context is enabled by setting `@SECLEVEL=0`. However, this setting also allows other insecure algorithms. You can override the `SECLEVEL` setting by specifying the `rh-allow-sha1-signatures` property in the `evp_properties` section. By default and when unspecified in the configuration file, `evp_properties` is set to `no`. The system-wide cryptographic policies set the property to `yes` after you switch to the `LEGACY` policy. Therefore, to enable support for SHA-1 in contexts outside TLS, you can switch the system to the `LEGACY` cryptographic policy. To enable SHA-1 in TLS, you must switch the system to `LEGACY` and use a cipher string that sets `@SECLEVEL=0` either by defining a custom cryptographic policy or setting this for your application in OpenSSL.
    • Done
    • None

      When the server is configured with -cipher DEFAULT:@SECLEVEL=0 -sigalgs SHA1+RSA then TLS1.2 clients that advertise support for SHA-1 signatures implicitly (by not including sig_algs extension) can't connect to the server, the server sends handshake_failure alert

              rh-ee-gpantela George Pantelakis
              hkario@redhat.com Alicja Kario
              Sahana Prasad Hebbur Narasimha Prasad Sahana Prasad Hebbur Narasimha Prasad
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: