[openssl-users] Rejecting SHA-1 certificates

Niklas Keller me at kelunik.com
Wed Jul 12 12:24:57 UTC 2017


2017-07-12 8:35 GMT+02:00 Wouter Verhelst <wouter.verhelst at fedict.be>:

> On 11-07-17 23:44, Salz, Rich via openssl-users wrote:
> >> It's very well worth the effort, otherwise there's a security issue,
> because certificates can be forged.
> >
> > No they cannot.
> >
> > What *has* been done is a document was created with "weak spots" and
> another document was created that  changed those weak spots, but the digest
> was the same.
>
> Correct me if I'm wrong, but wasn't the MD5 certificate hack presented
> back at 25C3 based on exactly that scenario? They used the serial number
> and timestamp or some other such thing (don't recall the details) as
> weak spots and then sent loads of certificate requests to the CA to
> effecively brute-force it.
>
> (Of course, CAs are now required to randomize their serial number, so
> since that particular attack isn't possible anymore, I agree that for
> the time being it's still not a feasible scenario for SHA1, but hey)
>

Maybe not currently for SHA-1, but maybe for MD5?

Also not sure whether you can use these old certificates with weak serials
and change the date as well there?

Regards, Niklas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170712/b9a4ea4a/attachment.html>


More information about the openssl-users mailing list