Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: reject SHA-1 signatures in Verify #41682

Open
FiloSottile opened this issue Sep 28, 2020 · 9 comments
Open

crypto/x509: reject SHA-1 signatures in Verify #41682

FiloSottile opened this issue Sep 28, 2020 · 9 comments

Comments

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Sep 28, 2020

SHA-1 is weak: a SHA-1 collision was demonstrated and estimated to cost around $50k. https://shattered.io

Accepting SHA-1 signed certificates is a security issue, and lets attackers mount collision attacks if the CA is still signing SHA-1 certificates. crypto/x509 already rejects outright any MD5 signatures for the same reason.

The WebPKI has banned SHA-1 certificates for years now, and crypto/x509 targets a profile compatible with the WebPKI.

I propose we announce in Go 1.17 that we'll remove support in Go 1.18, and provide a GODEBUG opt-out until Go 1.19.

@FiloSottile

This comment has been hidden.

@FiloSottile FiloSottile self-assigned this Mar 17, 2021
@FiloSottile FiloSottile changed the title crypto/x509: stop verifying SHA-1 signatures proposal: crypto/x509: stop verifying SHA-1 signatures Apr 7, 2021
@ianlancetaylor ianlancetaylor added this to Incoming in Proposals Apr 7, 2021
@rsc
Copy link
Contributor

@rsc rsc commented Apr 7, 2021

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc rsc moved this from Incoming to Active in Proposals Apr 7, 2021
@ianlancetaylor

This comment has been hidden.

@rsc
Copy link
Contributor

@rsc rsc commented Apr 14, 2021

How many of the ancient servers being discussed in #45428 are serving SHA-1 signatures?

@FiloSottile
Copy link
Contributor Author

@FiloSottile FiloSottile commented Apr 14, 2021

SHA-1 in crypto/x509 is unrelated to crypto/tls, except to the extent that if you're running a legacy stack you're more likely to have both components be out of date. You can serve a SHA-1 certificate over TLS 1.3, if you felt like it.

There are no publicly trusted SHA-1 certificates anymore, so we pretty much have no numbers about them. (Well, we do, and they say zero, but they don't capture internal deployments.) Anyone using them is doing it with their own managed CA.

@rsc rsc changed the title proposal: crypto/x509: stop verifying SHA-1 signatures proposal: crypto/x509: reject SHA-1 signatures in Verify Apr 21, 2021
@rsc
Copy link
Contributor

@rsc rsc commented Apr 21, 2021

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc rsc moved this from Active to Likely Accept in Proposals Apr 21, 2021
@rsc rsc moved this from Likely Accept to Accepted in Proposals Apr 28, 2021
@rsc
Copy link
Contributor

@rsc rsc commented Apr 28, 2021

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: crypto/x509: reject SHA-1 signatures in Verify crypto/x509: reject SHA-1 signatures in Verify Apr 28, 2021
@FiloSottile
Copy link
Contributor Author

@FiloSottile FiloSottile commented Jun 15, 2021

https://golang.org/cl/327811 has the pre-announcement, moving to Go 1.18 for implementation.

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 15, 2021

Change https://golang.org/cl/327811 mentions this issue: doc/go1.17: add Go 1.18 pre-announcements

gopherbot pushed a commit that referenced this issue Jun 21, 2021
Updates #41682
Updates #45428

Change-Id: Ia31d454284f0e114bd29ba398a2858fc90454032
Reviewed-on: https://go-review.googlesource.com/c/go/+/327811
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Proposals
Accepted
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants