Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50106

LEGACY policy should not permit SHA-1 signature use

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.0.beta
    • rhel-10.0.beta
    • crypto-policies
    • None
    • crypto-policies-20240725-1.git3de485c.el10
    • None
    • None
    • 1
    • sst_security_crypto
    • ssg_security
    • 30
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC1) SHA1 is not allowed in TLS signatures in any base* policy

      AC2) SHA1 is not allowed in TLS in certificates

       

      • LEGACY, DEFAULT, FUTURE, FIPS

       

      Show
      AC1) SHA1 is not allowed in TLS signatures in any base* policy AC2) SHA1 is not allowed in TLS in certificates   LEGACY, DEFAULT, FUTURE, FIPS  
    • Pass
    • Not Needed
    • None
    • Removed Functionality
    • Hide
      The `LEGACY` crypto-policy in RHEL 10 will no longer allow creating or verifying signatures that use SHA-1 in TLS contexts. For libraries other than OpenSSL, this may mean that they no longer accept or create any signatures using SHA-1, regardless of the use case. OpenSSL will continue to accept signatures that use SHA-1 when not used for TLS if the system is in the `LEGACY` crypto-policy or using the `SHA-1` crypto-policy module.

      Customers that rely on SHA-1 signatures in TLS connections can re-enable this by following $KB_ARTICLE_TO_BE_WRITTEN (see CRYPTO-14782).
      Show
      The `LEGACY` crypto-policy in RHEL 10 will no longer allow creating or verifying signatures that use SHA-1 in TLS contexts. For libraries other than OpenSSL, this may mean that they no longer accept or create any signatures using SHA-1, regardless of the use case. OpenSSL will continue to accept signatures that use SHA-1 when not used for TLS if the system is in the `LEGACY` crypto-policy or using the `SHA-1` crypto-policy module. Customers that rely on SHA-1 signatures in TLS connections can re-enable this by following $KB_ARTICLE_TO_BE_WRITTEN (see CRYPTO-14782).
    • Proposed
    • None

      For consistency between the libraries, the LEGACY policy should disable support for SHA-1 signatures in TLS context (SHA-1 signatures in TLS messages and SHA-1 signatures in certificates used in TLS).

            asosedki@redhat.com Alexander Sosedkin
            hkario@redhat.com Alicja Kario
            Alexander Sosedkin Alexander Sosedkin
            Ondrej Moris Ondrej Moris
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: