Dear Roberto On Sun, Jun 9, 2024 at 1:16 PM Roberto Ragusa <m...@robertoragusa.it> wrote:
> On 6/9/24 11:27, Dmitry Belyavskiy wrote: > > > > On Sun, Jun 9, 2024 at 11:22 AM Zbigniew Jędrzejewski-Szmek < > zbys...@in.waw.pl <mailto:zbys...@in.waw.pl>> wrote: > > > > In https://fedoraproject.org/wiki/SHA1SignaturesGuidance < > https://fedoraproject.org/wiki/SHA1SignaturesGuidance>: > > > At the moment, we don't provide a public API to enable SHA-1 > signature > > > support in OpenSSL programmatically. We ask you to respect the > system > > > administrator's configuration choice on this. We're planning to > work > > > with OpenSSL upstream to introduce a more suitable API in the > future > > > > Any news on this? Being able to make this policy configurable at > application > > level would make things _much_ easier. > > > > > > We don't plan to provide such an API, sorry. SHA1 is insecure. It should > be eliminated from the crypto contexts _before_ a second-preimage attack > starts to cost $0.02 > > > Is it the library's job to decide policies about security levels? > Each time algorithms are "distrusted" people get problems mostly with > things > where security is not really critical at all, like connecting to their > local > hypervisor, their arduino boards, their home thermostat, etc. etc. etc. > Let's hope at least the policies will be tweakable enough, I've seen cases > where people were proposing removal of algorithms from the code, which is > crazy > (why should a library refuse to do an RC4 calculation for me?). > You still are able to use SHA1 and RC4 using openssl. The distribution should provide a necessary level of security defaults.Those who understand why they don't need enough security, can relax any limitations. -- Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
