openssl

Commit Graph

Author	SHA1	Message	Date
Clemens Lang	efdb8c60a3	Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0 defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default. However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of security do not meet SECLEVEL=1's requirement of 80 bits. Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which would include all algorithms, regardless of their security level), allow MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1. Related: rhbz#2069239	2022-04-27 12:24:38 +02:00
Alexander Sosedkin	8f08128432	Instrument with USDT probes related to SHA-1 deprecation	2022-04-26 19:08:09 +02:00

Author

SHA1

Message

Date

Clemens Lang

efdb8c60a3

Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0

Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Related: rhbz#2069239

2022-04-27 12:24:38 +02:00

Alexander Sosedkin

8f08128432

Instrument with USDT probes related to SHA-1 deprecation

2022-04-26 19:08:09 +02:00

2 Commits