Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50106

LEGACY policy should not permit SHA-1 signature use

    • crypto-policies-20240725-1.git3de485c.el10
    • None
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 30
    • 1
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC1) SHA1 is not allowed in TLS signatures in any base* policy

      AC2) SHA1 is not allowed in TLS in certificates

       

      • LEGACY, DEFAULT, FUTURE, FIPS

       

      Show
      AC1) SHA1 is not allowed in TLS signatures in any base* policy AC2) SHA1 is not allowed in TLS in certificates   LEGACY, DEFAULT, FUTURE, FIPS  
    • Pass
    • Not Needed
    • None
    • Removed Functionality
    • Hide
      .The `LEGACY` cryptographic policy disallows SHA-1 signatures in TLS

      The `LEGACY` system-wide cryptographic policy in RHEL 10 no longer allows creating or verifying signatures that use SHA-1 in TLS contexts. Therefore, libraries other than OpenSSL might no longer accept or create any signatures that use SHA-1 regardless of use case. OpenSSL continues to accept signatures that use SHA-1 when not used for TLS if the system is in `LEGACY` or this functionality is re-enabled with a custom subpolicy.

      //If you need SHA-1 signatures in TLS connections, you can re-enable them by following $KB_ARTICLE_TO_BE_WRITTEN (see CRYPTO-14782).
      Show
      .The `LEGACY` cryptographic policy disallows SHA-1 signatures in TLS The `LEGACY` system-wide cryptographic policy in RHEL 10 no longer allows creating or verifying signatures that use SHA-1 in TLS contexts. Therefore, libraries other than OpenSSL might no longer accept or create any signatures that use SHA-1 regardless of use case. OpenSSL continues to accept signatures that use SHA-1 when not used for TLS if the system is in `LEGACY` or this functionality is re-enabled with a custom subpolicy. //If you need SHA-1 signatures in TLS connections, you can re-enable them by following $KB_ARTICLE_TO_BE_WRITTEN (see CRYPTO-14782).
    • Done
    • None

      For consistency between the libraries, the LEGACY policy should disable support for SHA-1 signatures in TLS context (SHA-1 signatures in TLS messages and SHA-1 signatures in certificates used in TLS).

              asosedki@redhat.com Alexander Sosedkin
              hkario@redhat.com Alicja Kario
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: