> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Friday, November 21, 2014 12:30
> Thanks. I guess I may have to open a problem with IBM. The IBM > documentation > clearly lists a number of "cipher suites" (at they call them) that use SHA1 > (including the one we (IBM+OpenSSL) default to as being FIPS 140-2 > compliant. > "cipher suite(s)" is the official term in the TLS standards, mostly two words but sometimes hyphenated or run together, so not surprisingly most implementations use it or a variant. The "SHA" at the end a suite name defined before TLS1.2 is actually SHA1 used within HMAC for integrity check. (HMAC is a generic MAC-from-hash construction.) The new suites defined in or after TLS1.2 use SHA256 or SHA384 for HMAC, or are authenticated-encryption with *no* HMAC, although they still vary the hash used in the PRF for key derivation. > GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly not > FIP 140-2 compliant. > (That's a typo. SSL/TLS never used MD4, or MD2. It did use RC4 and RC2.) Not quite, the picture is more nuanced. Although if you *can* go to TLS1.2 and a SHA256 or SHA384 suite that is Best Practice. 800-131A (Jan 2011) "codified" in 800-57 part1 rev3 (July 2013) prohibits SHA1 *for signature and hash-only* (which are assumed subject to collision attack) after 2013. It is still allowed for HMAC and some other uses that protect against collision. (Even after 2030 when 3TDEA, SHA-224, IFC&FFC 2048, and ECC 224 are scheduled to go away, although they may well re-think before then.) In particular, draft 800-52 rev1 (Jan 2013) allows the TLS1.0&1.1 PRF (key derivation) with SHA1-xor-MD5; MD5 is not Approved at all but this construction doesn't rely on it and SHA1 *for KDF* is okay. However TLS1.0 is disallowed for another reason. Similarly in non-FIPS situations the two (HMAC-)MD5 suites that are not SSLv2-only and not export-weakened are still mostly considered acceptable, though at the same time certs *signed* with MD5 are not, and certs signed with SHA1 won't be within a year or two. Not that this really matters, since you practically always have a better option. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
