lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Remove SHA-1 in TLS by default

Browse Source 
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
This commit is contained in:
Gilles Peskine
2017-05-04 16:17:21 +02:00
committed by Manuel Pégourié-Gonnard
parent 23b33f8663
commit 5e79cb3662
4 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
library/ssl_tls.c
View File

@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
#if defined(MBEDTLS_SHA1_C)
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE