Bug#826536: clarify SHA-1 support beyond 2016
Package: apache2
Version: 2.4.10-10+deb8u4
Severity: important
CAs, browser vendors and other software developers are actively
disabling SHA-1 support and shifting to the SHA-2 (SHA-256) digest
algorithm.
How will Apache web server deal with this?
If not following upstream, how will it be done in the Debian packages?
For example, will Apache refuse to run with an SHA-1 server certificate?
Will it refuse to validate SHA-1 client certificates that were accepted
previously?
Will SHA-1 support simply be disabled by default but people can get it
back through a trivial configuration change?
Or will people need to recompile if they still need to support any SHA1
certificates?
Will SHA-1 be deprecated in any security fix release to jessie and
wheezy, or it will only disappear as part of the stretch release cycle?
Could the Apache maintainers please add some comments about it on the wiki?
https://wiki.debian.org/SHA-1
One aspect of this problem is that there are many hardware devices out
there with built-in client certificates using the SHA-1 digest. When
these devices make connections to an Apache server using client TLS
(mutual TLS) authentication, they won't be able to send an SHA-256
certificate and they may not be able to verify an SHA-256 certificate on
the server side. People with hardware like that probably need to start
planning their migration now if there will be no backwards-compatible
support for them.
This has also been discussed on debian-security
https://lists.debian.org/debian-security/2016/05/msg00039.html
Reply to: