Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: consider removing support for signing with RSA-MD5 #42125

Open
rolandshoemaker opened this issue Oct 21, 2020 · 0 comments
Open

crypto/x509: consider removing support for signing with RSA-MD5 #42125

rolandshoemaker opened this issue Oct 21, 2020 · 0 comments

Comments

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Oct 21, 2020

MD5 is very broken, which is why we don't implement support for verifying certificates that use the RSA-MD5 (MD5WithRSA) signature algorithm. We do still support signing new certificates with RSA-MD5 though, which is not ideal as it introduces some inconsistency around how we handle certificates (i.e. see https://go-review.googlesource.com/c/go/+/264019).

Presumably we still provide support because at some point in the past there were still some users of RSA-MD5 certificates, and we're only allowing them to create broken certificates rather than verifying them (and thus relying on them). Unless there are still significant use cases I'd suggest we just completely axe support for this broken signature algorithm, reducing our support burden, and hopefully further dissuading anyone from making a serious mistake in their choice of algorithms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.