Hodie V Id. Aug. MMX, Jakob Bohm scripsit: > On 08-08-2010 01:13, Dr. Stephen Henson wrote: [...] > >It depends on what you mean by "in". Support for SHA-2 algorithms is in > >OpenSSL 0.9.8 and later. The algorithm can be used in certificates and CMS > >for > >example. > > > >Since OpenSSL doesn't currently support TLS 1.2 it will not be used for TLS > >ciphersuites since none in TLS 1.1 or earlier use SHA-2 algorithms. > > I believe this is an unfortunate reading of the RFCs. Fundamentally, > the SSL3/TLS protocols do not tie the availability of a cipher suite to > the version of the protocol document which was current when it was > introduced. The fact that the most common cipher suites are defined in > the same documents as the protocols themselves really should not be > treated as more important than the fact that there is a single IANA > registry for these values. > > Formally: RFC2246, RFC4346 and RFC5246 all refer to IANA for the cipher > suite list.
RFC2246 doesn't refer to this IANA registry (RFC2434, a later one). RFC4346/5246 do. > IANA's cipher suite list refers to different RFCs for > different suite values, including RFC2712 and RFC5246. The cipher > suites so defined are thus equally applicable to the TLS versions (1.0, > 1.1 and 1.2) defined in RFC2246, RFC4346 and RFC5246 unless there is > a cipher suite specific reason not to use them with specific TLS > versions. > > Of cause using an SHA-2 based cipher suite with TLS 1.1 or older implies > that the keys will still be created from a master secret produced using > the old MD5/SHA-1 PRF. But at least the HMACs for the data will be done > with SHA-2 , thus limiting the attack surface for exploiters of SHA-1 > weaknesses. This is not possible, as the ciphersuites defined by RFC5246 all use P_SHA256 as the PRF (paragraph 1.2). In paragraph 5, it is said "New cipher suites MUST explicitely specify a PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a stronger standard hash function". That's precisely what is done, since new ciphersuites use P_SHA256 as the PRF. Using the old PRF with the new ciphersuites is not standard at all. -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org