Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.
For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
diff --git a/ChangeLog b/ChangeLog
index a889337..59fdf97 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,12 @@
* Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
Found by Laurent Simon.
+ * SHA-1 deprecation: remove it from the default allowed hash
+ algorithms for certificate verification and TLS 1.2 handshake
+ signatures. It can be turned back on at compile time with
+ MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
+ * Removed RIPEMD-160 from the default hash algorithms for
+ certificate verification.
Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index c720cb9..6caf52a 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2065,7 +2065,8 @@
* library/ssl_tls.c
* library/x509write_crt.c
*
- * This module is required for SSL/TLS and SHA1-signed certificates.
+ * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
+ * depending on the handshake parameters, and for SHA1-signed certificates.
*/
#define MBEDTLS_SHA1_C
@@ -2426,6 +2427,15 @@
/* X509 options */
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
+/**
+ * Allow SHA-1 in the default TLS configuration for certificate signing and
+ * TLS 1.2 handshake signature. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_cert_profile
+ * and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
+ * HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
+ */
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+
/* \} name SECTION: Module configuration options */
#if defined(TARGET_LIKE_MBED)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4023854..f2f08c7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7043,7 +7043,7 @@
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
-#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 84a2d4f..ca3a7d0 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -85,9 +85,11 @@
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
- /* Hashes from SHA-1 and above */
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
+ /* Allow SHA-1 (weak, but still safe in controlled environments) */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
+#endif
+ /* Only SHA-2 hashes */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |