Reducing the security bits for MD5 and SHA1 in TLS

Matt Caswell matt at openssl.org
Wed May 27 11:14:13 UTC 2020


PR 10787 proposed to reduce the number of security bits for MD5 and SHA1
in TLS (master branch only, i.e. OpenSSL 3.0):

https://github.com/openssl/openssl/pull/10787

This would have the impact of meaning that TLS < 1.2 would not be
available in the default security level of 1. You would have to set the
security level to 0.

In my mind this feels like the right thing to do. The security bit
calculations should reflect reality, and if that means that TLS < 1.2 no
longer meets the policy for security level 1, then that is just the
security level doing its job. However this *is* a significant breaking
change and worthy of discussion. Since OpenSSL 3.0 is a major release it
seems that now is the right time to make such changes.

IMO it seems appropriate to have an OMC vote on this topic (or should it
be OTC?). Possible wording:

"The TLS security bit values for MD5, MD5_SHA1 and SHA1 should be set to
39, 67 and 65 respectively in OpenSSL 3.0. Consequently TLS < 1.2 will
be disallowed in the default security level"

Thoughts?

Matt



More information about the openssl-project mailing list