SHA1 cert signing is (being) deprecated
https://www.entrust.com/sha-1-2017/
So SHA1-signed certs < BAD!
Does that apply at all for ciphers using Mac=SHA1?
I don't *think* it does. And I don't find anything that says it does. Or
doesn't , as far as that goes.
In my postfix logs, I still see use of
0x00,0x39 - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA
Enc=AES(256) Mac=SHA1
0xC0,0x19 - AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None
Enc=AES(256) Mac=SHA1
0xC0,0x14 - ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA
Enc=AES(256) Mac=SHA1
0x00,0x3A - ADH-AES256-SHA SSLv3 Kx=DH Au=None
Enc=AES(256) Mac=SHA1
0x00,0x35 - AES256-SHA SSLv3 Kx=RSA Au=RSA
Enc=AES(256) Mac=SHA1
0xC0,0x0A - ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA
Enc=AES(256) Mac=SHA1
And in the HIGH + MEDIUM cipherlist I use in postfix,
openssl ciphers -V 'HIGH:MEDIUM:' | grep SHA1 | wc -l
40
there's still 40 ciphers with Mac=SHA1.
Just wanted to verify if the problem is just with cert-signing, or a more
general useage of SHA1 in any way, in the content of Postfix.
Rob
