Opened 9 years ago
Closed 8 years ago
#675 closed Bug / Defect (fixed)
tls_digest alternative with stronger hash
Reported by: | lmamane | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | major | Milestone: | beta 2.4 |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
when running the tls-verify script, the SHA-1 digests of the certificates are set in the tls_digest_{n} environment variables. Given the deprecation of SHA-1, please provide extra variable with stronger hashes. E.g.:
tls_digest_sha256_{n}
tls_digest_sha512_{n}
etc
Change History (5)
comment:1 Changed 9 years ago by
Owner: | set to Steffan Karger |
---|---|
Status: | new → assigned |
comment:2 Changed 9 years ago by
comment:3 Changed 9 years ago by
Milestone: | → beta 2.4 |
---|---|
Status: | assigned → accepted |
These are fingerprints, and fingerprints have to be collision resistant. So yes, we should indeed add stronger digests. I'm putting this on the list for 2.4.
comment:4 Changed 8 years ago by
For reference, I sent a patch for this to the list back in May '16, which is awaiting review:
http://thread.gmane.org/gmane.network.openvpn.devel/11613/focus=11615
comment:5 Changed 8 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Currently we do not see any clear security benefits of providing SHA512. But we do provide SHA256 with the patch below.
commit af1e4d26ab65bd71de168ea621ca55d0e40a0bc1 Author: Steffan Karger <steffan@karger.me> Date: Thu May 5 22:14:07 2016 +0200 Add SHA256 fingerprint support Add SHA256 fingerprint support for both the normal exported fingerprints (tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track. Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint internally, in cert_hash_remember() / cert_hash_compare(). And instead of updating an #if 0'd code block that has been disabled since 2009, just remove that. This should take care of trac #675. v2: update openvpn.8 accordingly [ DS: This commit squashes in the clean-up cert_hash_remember scoping patch, as it is highly related and tied to this primary patch ] Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: 1462479247-21854-1-git-send-email-steffan@karger.me Message-Id: 1474055635-7427-1-git-send-email-steffan@karger.me URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg11859.html URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12464.html Signed-off-by: David Sommerseth <davids@openvpn.net>
@syzzer: is that something real, or just "bad algorithm! sit!" hysteria?