SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling it causes compatibility issues, especially with clients that use TLS1.2 but don't send the signature_algorithms extension. SHA-1 is forbidden in certificates by default, since it's vulnerable to offline collision-based attacks.
This commit is contained in:
parent
682df09159
commit
5d2511c4d4
7 changed files with 32 additions and 17 deletions
|
@ -4,12 +4,9 @@ mbed TLS 2.x.x branch released xxxx-xx-xx
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
||||||
* SHA-1 deprecation: remove it from the default allowed hash
|
* Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
|
||||||
algorithms for certificate verification and TLS 1.2 handshake
|
certificate verification. SHA-1 can be turned back on with a compile-time
|
||||||
signatures. It can be turned back on at compile time with
|
option if needed.
|
||||||
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
|
|
||||||
* Removed RIPEMD-160 from the default hash algorithms for
|
|
||||||
certificate verification.
|
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Remove invalid use of size zero arrays in ECJPAKE test suite.
|
* Remove invalid use of size zero arrays in ECJPAKE test suite.
|
||||||
|
|
|
@ -2638,13 +2638,24 @@
|
||||||
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
|
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allow SHA-1 in the default TLS configuration for certificate signing and
|
* Allow SHA-1 in the default TLS configuration for certificate signing.
|
||||||
* TLS 1.2 handshake signature. Without this build-time option, SHA-1
|
* Without this build-time option, SHA-1 support must be activated explicitly
|
||||||
* support must be activated explicitly through mbedtls_ssl_conf_cert_profile
|
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
|
||||||
* and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
|
* recommended because of it is possible to generte SHA-1 collisions, however
|
||||||
* HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
|
* this may be safe for legacy infrastructure where additional controls apply.
|
||||||
*/
|
*/
|
||||||
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
|
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
|
||||||
|
* signature and ciphersuite selection. Without this build-time option, SHA-1
|
||||||
|
* support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
|
||||||
|
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
|
||||||
|
* default. At the time of writing, there is no practical attack on the use
|
||||||
|
* of SHA-1 in handshake signatures, hence this option is turned on by default
|
||||||
|
* for compatibility with existing peers.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
|
||||||
|
|
||||||
/* \} name SECTION: Customisation configuration options */
|
/* \} name SECTION: Customisation configuration options */
|
||||||
|
|
||||||
|
|
|
@ -651,7 +651,7 @@ int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
|
#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||||
/* The test infrastructure requires a positive define */
|
/* The test infrastructure requires a positive define */
|
||||||
#define MBEDTLS_X509__DEFAULT_FORBID_SHA1
|
#define MBEDTLS_X509__DEFAULT_FORBID_SHA1
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
|
||||||
MBEDTLS_MD_SHA256,
|
MBEDTLS_MD_SHA256,
|
||||||
MBEDTLS_MD_SHA224,
|
MBEDTLS_MD_SHA224,
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
|
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
|
||||||
MBEDTLS_MD_SHA1,
|
MBEDTLS_MD_SHA1,
|
||||||
#endif
|
#endif
|
||||||
MBEDTLS_MD_NONE
|
MBEDTLS_MD_NONE
|
||||||
|
|
|
@ -85,7 +85,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
|
||||||
*/
|
*/
|
||||||
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
|
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
|
#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
|
||||||
/* Allow SHA-1 (weak, but still safe in controlled environments) */
|
/* Allow SHA-1 (weak, but still safe in controlled environments) */
|
||||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -2908,12 +2908,19 @@ run_test "Per-version suites: TLS 1.2" \
|
||||||
# Test for ClientHello without extensions
|
# Test for ClientHello without extensions
|
||||||
|
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
run_test "ClientHello without extensions" \
|
run_test "ClientHello without extensions, SHA-1 allowed" \
|
||||||
"$P_SRV debug_level=3" \
|
"$P_SRV debug_level=3" \
|
||||||
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
||||||
0 \
|
0 \
|
||||||
-s "dumping 'client hello extensions' (0 bytes)"
|
-s "dumping 'client hello extensions' (0 bytes)"
|
||||||
|
|
||||||
|
requires_gnutls
|
||||||
|
run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
|
||||||
|
"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
|
||||||
|
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
|
||||||
|
0 \
|
||||||
|
-s "dumping 'client hello extensions' (0 bytes)"
|
||||||
|
|
||||||
# Tests for mbedtls_ssl_get_bytes_avail()
|
# Tests for mbedtls_ssl_get_bytes_avail()
|
||||||
|
|
||||||
run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
|
run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
|
||||||
|
|
|
@ -432,7 +432,7 @@ depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDT
|
||||||
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile)
|
X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile)
|
||||||
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
|
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||||
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL"
|
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL"
|
||||||
|
|
||||||
X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)
|
X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)
|
||||||
|
|
Loading…
Reference in a new issue