Bug#826536: clarify SHA-1 support beyond 2016

To: Daniel Pocock <daniel@pocock.pro>, 826536@bugs.debian.org
Subject: Bug#826536: clarify SHA-1 support beyond 2016
From: Stefan Fritsch <sf@sfritsch.de>
Date: Tue, 07 Jun 2016 21:25:21 +0200
Message-id: <[🔎] 1623187.89UOFQGp4L@k>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 826536@bugs.debian.org
In-reply-to: <[🔎] 57551732.60108@pocock.pro>
References: <[🔎] 57551732.60108@pocock.pro>

On Monday 06 June 2016 08:24:50, Daniel Pocock wrote:
> CAs, browser vendors and other software developers are actively
> disabling SHA-1 support and shifting to the SHA-2 (SHA-256) digest
> algorithm.

There are two relevant uses of SHA-1 that I know of.

As MAC algorithm in the TLS cipher suite. There the current policy is 
to use whatever openssl offers as configuration alias "HIGH". 
Currently this includes ciphers with SHA1. Not sure if there is any 
plan to change this or if there are known attacks on these ciphers due 
to them using SHA1.

As signing algorithm for certificates. Here the declining collision 
resistance of SHA1 is relevant. I will concentrate on this in the rest 
of the mail.

> 
> How will Apache web server deal with this?

AFAIK, there has been no discussion about this, yet. But I am pretty 
sure that if upstream decides to act, there will be a longer period 
where only a config switch is needed to turn it on again.

> If not following upstream, how will it be done in the Debian
> packages? 

We depend on openssl not removing support for SHA1-signed 
certificates, of course. But I would also opt for either not changing 
anything or only changing the default configuration. Removing SHA1 
certificate support so that apache needs to be recompiled looks more 
like a possible approach for stretch+1, but not for stretch.

> For example, will Apache refuse to run with an SHA-1 server
> certificate?

I don't think so. If you have created a self-signed SHA1 certificate, 
and have imported that into your clients, that is still secure. Unless 
SHA1 pre-image attacks get much better.

> Will it refuse to validate SHA-1 client certificates that were
> accepted previously?
> 
> Will SHA-1 support simply be disabled by default but people can get
> it back through a trivial configuration change?
> 
> Or will people need to recompile if they still need to support any
> SHA1 certificates?
> 
> Will SHA-1 be deprecated in any security fix release to jessie and
> wheezy, or it will only disappear as part of the stretch release
> cycle?

That depends how much better the attacks get. I haven't really made up 
my mind, yet.

> Could the Apache maintainers please add some comments about it on
> the wiki? https://wiki.debian.org/SHA-1
> 
> One aspect of this problem is that there are many hardware devices
> out there with built-in client certificates using the SHA-1 digest.
>  When these devices make connections to an Apache server using
> client TLS (mutual TLS) authentication, they won't be able to send
> an SHA-256 certificate and they may not be able to verify an
> SHA-256 certificate on the server side.  People with hardware like
> that probably need to start planning their migration now if there
> will be no backwards-compatible support for them.
> 
> This has also been discussed on debian-security
> https://lists.debian.org/debian-security/2016/05/msg00039.html

Reply to:

References:
- Bug#826536: clarify SHA-1 support beyond 2016
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Bug#826536: clarify SHA-1 support beyond 2016
Next by Date: Bug#827258: apache2: Missing default configuration for mod_proxy_html
Previous by thread: Bug#826536: clarify SHA-1 support beyond 2016
Next by thread: Bug#827258: apache2: Missing default configuration for mod_proxy_html
Index(es):
- Date
- Thread