New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RSA+SHA1 web compatibility regression #110
Comments
I am open to solutions but I'd like to figure out one that doesn't require Rustls and friends to accept SHA-1 signatures for every host. We got along fine for 10 months so I'm thinking this isn't very common. Thus, I would encourage people to work on the advocacy aspect, i.e. helping https://www.daserste.de/ and related sites fix their configuration. This is something I can't reasonably do but something the community around this project could do. We have succeeded in such advocacy in the past, especially pretty recently. At the webpki level, we can of course add SHA-1 back if it would be used by somebody. But would Rustls actually make use of it if we added it back? |
If we were to add this back, I think it'd really only be in the context of this issue. In which case we could add it back only for Though, I think in this case I prefer to do nothing. I'd likely change my mind if there was some more data showing a prevalence of servers with this bug. |
|
|
#88 and rustls/rustls#207 removed RSA+SHA1 which seemed the right thing to do, but apparently made some web sites unaccessible.
Problem
With Servo (both with rustls and with Debian's default OpenSSL config which defines DEFAULT@SECLEVEL=2) I am not able to connect to the website of Germany's first public TV channel. Chrome and Firefox connect without problem.
cargo install rustls-mio --example tlsclient --git https://github.com/ctz/rustls/ --rev d132d48a236a212b1c79ca5b5182fb522007050c -f; tlsclient --http --protover="1.2" www.daserste.de
openssl s_client -connect www.daserste.de:443 -tls1_2 -cipher DEFAULT@SECLEVEL=2
openssl s_client -connect www.daserste.de:443 -tls1_2 -cipher DEFAULT@SECLEVEL=1
Chrome Dev > Devtools > Security
Questions
See also
The text was updated successfully, but these errors were encountered: