lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

SHA-1 deprecation: allow it in key exchange

Browse Source 
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
This commit is contained in:
Gilles Peskine
2017-05-12 13:16:40 +02:00
committed by Manuel Pégourié-Gonnard
parent 682df09159
commit 5d2511c4d4
7 changed files with 32 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
library/ssl_tls.c
View File

@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE