lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-13 09:01:48 +03:00
Code Activity

Remove optional SHA-1 in the default TLS configuration.

Browse Source 
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
This commit is contained in:
Mateusz Starzyk
2021-03-29 17:46:57 +02:00
parent 13af41f88c
commit a58625f90d
8 changed files with 16 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
include/mbedtls/config.h
View File

@ -3700,20 +3700,6 @@
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
/**
* Allow SHA-1 in the default TLS configuration for certificate signing.
* Without this build-time option, SHA-1 support must be activated explicitly
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
* recommended because of it is possible to generate SHA-1 collisions, however
* this may be safe for legacy infrastructure where additional controls apply.
*
* \warning SHA-1 is considered a weak message digest and its use constitutes
* a security risk. If possible, we recommend avoiding dependencies
* on it, and considering stronger message digests instead.
*
*/
//#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
/**
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
* signature and ciphersuite selection. Without this build-time option, SHA-1