Reducing the security bits for MD5 and SHA1 in TLS

Tomas Mraz tmraz at
Wed May 27 11:28:59 UTC 2020

On Wed, 2020-05-27 at 12:14 +0100, Matt Caswell wrote:
> PR 10787 proposed to reduce the number of security bits for MD5 and
> SHA1
> in TLS (master branch only, i.e. OpenSSL 3.0):
> This would have the impact of meaning that TLS < 1.2 would not be
> available in the default security level of 1. You would have to set
> the
> security level to 0.
> In my mind this feels like the right thing to do. The security bit
> calculations should reflect reality, and if that means that TLS < 1.2
> no
> longer meets the policy for security level 1, then that is just the
> security level doing its job. However this *is* a significant
> breaking
> change and worthy of discussion. Since OpenSSL 3.0 is a major release
> it
> seems that now is the right time to make such changes.
> IMO it seems appropriate to have an OMC vote on this topic (or should
> it
> be OTC?). Possible wording:
> "The TLS security bit values for MD5, MD5_SHA1 and SHA1 should be set
> to
> 39, 67 and 65 respectively in OpenSSL 3.0. Consequently TLS < 1.2
> will
> be disallowed in the default security level"
> Thoughts?


I do not even think this is too much controversial to do in a major
release. The only possibly controversial thing is the handling of the 
certificates signed with SHA1 and especially rejecting the client
certificates on the client side before they are sent to the server.

That is the:

Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

More information about the openssl-project mailing list