eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SHA-1 deprecation: allow it in key exchange

Browse source 
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
This commit is contained in:
Gilles Peskine 2017-05-12 13:16:40 +02:00 committed by Manuel Pégourié-Gonnard
parent 682df09159
commit 5d2511c4d4
7 changed files with 32 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
library/ssl_tls.c
View file

@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE