[openssl-users] Rejecting SHA-1 certificates

[Viktor Dukhovni]

> On Jul 10, 2017, at 1:12 PM, Niklas Keller <me at kelunik.com> wrote:
> 
> It's very well worth the effort, otherwise there's a security issue, because certificates can be forged.

Collision attacks don't directly lead to certificate forgery.  There are
no known 2nd-preimage attacks on SHA-1.

The previous MD5 attack required CAs to issue certificates with predictable
content (serial numbers and the like) so that the requested certificate
collides with a rogue certificate with basicConstraints CA:true.  Unpredictable
serial numbers defeat that attack.

If trusted CAs are no longer issuing SHA-1 certificates, then soon you won't need
to detect SHA-1 certificates in trusted chains, as there won't be any such
certificates issued by trusted CAs.

Anyway, if you must, you can inspect the chain as it is being verified via the
verify callback, keep track of the maximum depth (the final set of callbacks
when all goes well start with the topmost CA certificate and goes down towards
the leaf) and reject SHA-1 at depths below any depth seen before.

That's a bunch of code, to address an issue that is solving itself naturally
through attrition.

-- 
-- 
	Viktor.