Commit Graph

2 Commits

Author SHA1 Message Date
Clemens Lang
5a9ab1160e Allow SHA1 usage in HMAC in TLS
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.

Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 19:40:20 +01:00
Clemens Lang
78fb78d307 Disable SHA1 signature creation and verification by default
Set rh-allow-sha1-signatures = yes to re-enable

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 12:25:35 +01:00