Hello Steffen, > On 7. Aug 2024, at 22:16, Steffen Nurpmeso <stef...@sdaoden.eu> wrote: > > Isn't that terribly rhetorical, and can kill sheeps indeed. > To reiterate that SSL/TLS are standards, they had version > iterations, which possibly got around some real protocol problem. > These offer standardized sets of ciphersuites, some of those, of > the elder versions, are "no longer secure". (I am no > cryptographer to tell whether they ever were completely so, or > whether there are "mathematical tricks" to get away without brute > force for them. That aside.) That is basically it. But, as far > as i understand it, even TLSv1 supported forward-secrecy stuff, ie > > # openssl ciphers -v EECDH+AESGCM:EECDH+AES256:CHACHA20:!DHE > > gives two members, and except for the SHA-1 MAC this looks pretty > modern. But again: i am far from being an expert.
TLS < 1.2 only supports a single signature algorithm, which uses SHA1-MD5 as digest. Only TLS >= 1.2 supports the signature_algorithms extension to negotiate modern digests. MD-5 is fully broken. SHA-1 is questionable. Their combination may withstand attacks a little bit longer, but probably not by much. The MAC is actually fine, since it’s HMAC with SHA-1, which isn’t as affected by a SHA-1 collision attack [1]. [1]: https://security.stackexchange.com/questions/187866/why-aren-t-collisions-important-with-hmac -- Clemens Lang RHEL Crypto Team Red Hat
