On Monday 06 June 2016 08:24:50, Daniel Pocock wrote: > CAs, browser vendors and other software developers are actively > disabling SHA-1 support and shifting to the SHA-2 (SHA-256) digest > algorithm.
There are two relevant uses of SHA-1 that I know of. As MAC algorithm in the TLS cipher suite. There the current policy is to use whatever openssl offers as configuration alias "HIGH". Currently this includes ciphers with SHA1. Not sure if there is any plan to change this or if there are known attacks on these ciphers due to them using SHA1. As signing algorithm for certificates. Here the declining collision resistance of SHA1 is relevant. I will concentrate on this in the rest of the mail. > > How will Apache web server deal with this? AFAIK, there has been no discussion about this, yet. But I am pretty sure that if upstream decides to act, there will be a longer period where only a config switch is needed to turn it on again. > If not following upstream, how will it be done in the Debian > packages? We depend on openssl not removing support for SHA1-signed certificates, of course. But I would also opt for either not changing anything or only changing the default configuration. Removing SHA1 certificate support so that apache needs to be recompiled looks more like a possible approach for stretch+1, but not for stretch. > For example, will Apache refuse to run with an SHA-1 server > certificate? I don't think so. If you have created a self-signed SHA1 certificate, and have imported that into your clients, that is still secure. Unless SHA1 pre-image attacks get much better. > Will it refuse to validate SHA-1 client certificates that were > accepted previously? > > Will SHA-1 support simply be disabled by default but people can get > it back through a trivial configuration change? > > Or will people need to recompile if they still need to support any > SHA1 certificates? > > Will SHA-1 be deprecated in any security fix release to jessie and > wheezy, or it will only disappear as part of the stretch release > cycle? That depends how much better the attacks get. I haven't really made up my mind, yet. > Could the Apache maintainers please add some comments about it on > the wiki? https://wiki.debian.org/SHA-1 > > One aspect of this problem is that there are many hardware devices > out there with built-in client certificates using the SHA-1 digest. > When these devices make connections to an Apache server using > client TLS (mutual TLS) authentication, they won't be able to send > an SHA-256 certificate and they may not be able to verify an > SHA-256 certificate on the server side. People with hardware like > that probably need to start planning their migration now if there > will be no backwards-compatible support for them. > > This has also been discussed on debian-security > https://lists.debian.org/debian-security/2016/05/msg00039.html
