SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.
SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
diff --git a/ChangeLog b/ChangeLog
index 59fdf97..15e1b24 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,12 +11,9 @@
* Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
Found by Laurent Simon.
- * SHA-1 deprecation: remove it from the default allowed hash
- algorithms for certificate verification and TLS 1.2 handshake
- signatures. It can be turned back on at compile time with
- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
- * Removed RIPEMD-160 from the default hash algorithms for
- certificate verification.
+ * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
+ certificate verification. SHA-1 can be turned back on with a compile-time
+ option if needed.
Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6caf52a..0c51fea 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2428,13 +2428,24 @@
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
/**
- * Allow SHA-1 in the default TLS configuration for certificate signing and
- * TLS 1.2 handshake signature. Without this build-time option, SHA-1
- * support must be activated explicitly through mbedtls_ssl_conf_cert_profile
- * and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
- * HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
+ * Allow SHA-1 in the default TLS configuration for certificate signing.
+ * Without this build-time option, SHA-1 support must be activated explicitly
+ * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
+ * recommended because of it is possible to generte SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
*/
-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+/**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
+ * signature and ciphersuite selection. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
+ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
+ * default. At the time of writing, there is no practical attack on the use
+ * of SHA-1 in handshake signatures, hence this option is turned on by default
+ * for compatibility with existing peers.
+ */
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
/* \} name SECTION: Module configuration options */
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 937dcd4..302dd2b 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -642,7 +642,7 @@
}
#endif
-#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
/* The test infrastructure requires a positive define */
#define MBEDTLS_X509__DEFAULT_FORBID_SHA1
#endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f2f08c7..bcefe95 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7043,7 +7043,7 @@
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
-#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE
diff --git a/library/x509_crt.c b/library/x509_crt.c
index ca3a7d0..92ab38d 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -85,7 +85,7 @@
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
-#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
/* Allow SHA-1 (weak, but still safe in controlled environments) */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
#endif
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f498732..8170413 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2684,12 +2684,19 @@
# Test for ClientHello without extensions
requires_gnutls
-run_test "ClientHello without extensions" \
+run_test "ClientHello without extensions, SHA-1 allowed" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
0 \
-s "dumping 'client hello extensions' (0 bytes)"
+requires_gnutls
+run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
+ "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
+ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
+ 0 \
+ -s "dumping 'client hello extensions' (0 bytes)"
+
# Tests for mbedtls_ssl_get_bytes_avail()
run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 3609f40..aacf4f9 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -432,7 +432,7 @@
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile)
-depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL"
X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)