Remove optional SHA-1 in the default TLS configuration.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-29 17:46:57 +02:00 · 2021-03-29 17:46:57 +02:00 · a58625f90d
commit a58625f90d
parent 13af41f88c
8 changed files with 16 additions and 69 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -96,10 +96,6 @@ typedef struct {
 */
 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
 {
-#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
-    /* Allow SHA-1 (weak, but still safe in controlled environments) */
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
-#endif
    /* Only SHA-2 hashes */
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |