Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: consider removing support for signing with RSA-MD5 #42125

Open
rolandshoemaker opened this issue Oct 21, 2020 · 2 comments
Open

crypto/x509: consider removing support for signing with RSA-MD5 #42125

rolandshoemaker opened this issue Oct 21, 2020 · 2 comments
Assignees
Milestone

Comments

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Oct 21, 2020

MD5 is very broken, which is why we don't implement support for verifying certificates that use the RSA-MD5 (MD5WithRSA) signature algorithm. We do still support signing new certificates with RSA-MD5 though, which is not ideal as it introduces some inconsistency around how we handle certificates (i.e. see https://go-review.googlesource.com/c/go/+/264019).

Presumably we still provide support because at some point in the past there were still some users of RSA-MD5 certificates, and we're only allowing them to create broken certificates rather than verifying them (and thus relying on them). Unless there are still significant use cases I'd suggest we just completely axe support for this broken signature algorithm, reducing our support burden, and hopefully further dissuading anyone from making a serious mistake in their choice of algorithms.

@gopherbot
Copy link

@gopherbot gopherbot commented Feb 24, 2021

Change https://golang.org/cl/285872 mentions this issue: crypto/x509: disable signing with MD5WithRSA

@FiloSottile FiloSottile removed this from the Backlog milestone Mar 17, 2021
@FiloSottile FiloSottile added this to the Go1.17 milestone Mar 17, 2021
@katiehockman
Copy link
Member

@katiehockman katiehockman commented Apr 26, 2021

Removed Proposal-Crypto label since this doesn't need to go through the proposal committee.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants