On Wed, 2020-05-27 at 12:14 +0100, Matt Caswell wrote: > PR 10787 proposed to reduce the number of security bits for MD5 and > SHA1 > in TLS (master branch only, i.e. OpenSSL 3.0): > > https://github.com/openssl/openssl/pull/10787 > > This would have the impact of meaning that TLS < 1.2 would not be > available in the default security level of 1. You would have to set > the > security level to 0. > > In my mind this feels like the right thing to do. The security bit > calculations should reflect reality, and if that means that TLS < 1.2 > no > longer meets the policy for security level 1, then that is just the > security level doing its job. However this *is* a significant > breaking > change and worthy of discussion. Since OpenSSL 3.0 is a major release > it > seems that now is the right time to make such changes. > > IMO it seems appropriate to have an OMC vote on this topic (or should > it > be OTC?). Possible wording: > > "The TLS security bit values for MD5, MD5_SHA1 and SHA1 should be set > to > 39, 67 and 65 respectively in OpenSSL 3.0. Consequently TLS < 1.2 > will > be disallowed in the default security level" > > Thoughts?
+1 I do not even think this is too much controversial to do in a major release. The only possibly controversial thing is the handling of the certificates signed with SHA1 and especially rejecting the client certificates on the client side before they are sent to the server. That is the: https://github.com/openssl/openssl/issues/11702 -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]