[squid-dev] [PATCH] sslproxy_cert_sign_hash configuration option
Amos Jeffries
squid3 at treenet.co.nz
Mon Oct 6 07:13:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2/10/2014 5:48 a.m., Tsantilas Christos wrote:
> Browser vendors will get rid of SSL certificates that use SHA-1 to
> generate the hash that is then signed by the CA. For example,
> Google Chrome will start to show an "insecure" sign for
> certificates that are valid after 1.1.2016 and will generate a
> warning page for certificates that are valid after 1.1.2017
> [1],[2],[4]. Microsoft will block certificates with SHA-1 after
> 1.1.2017 [3].
>
IMHO this directive should not be necessary.
1) when mimicing certs server provides the hash type.
2) cleanly generated certs should always be using a secure hash in
compliance with TLS specification.
The TLS/SSL maximum version supplied by the client also drives the
hashes the server is able to use:
- MD5 for SSL,
- SHA1 for TLS 1.0/1.1,
- SHA256 for TLS 1.2+
Allowing configuration of the hash seems to be unnecessary, and adds
potential for configuring impossible situations like SSL without MD5,
or more likely SHA-256 with TLS/1.0.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUMkEcAAoJELJo5wb/XPRjsHQH/1f5UcseEDvHFcRkj2R1HEQs
AE5INITUI2DaJ1A48FA/HhI2vEqlaAB/opmlCEhU+oVswQMJx6joLdoTut8ra7W6
QBDQ359G25d6sMkyuGAswqNhj1Vbtdr1TgY9lSSKL7B5F7h2/hH8t0QdYnnx1szI
fA4OVWcxCROidWFfArcCg05pPFZhX7gUTXeab2xJNju8aclWb/vL5wmlAXi15dTz
7bVrucs0ZVxLDOylhXkHuNTIU0VB9HD80wv3/+QylXKv+7HbfOsBU3AnRdCHs9UA
0zM7sTR33G1UAVCMg7knfXwlYoDFN04nLVCt62dPKh6vqJRWXyPTimVHtmpPNBY=
=qVaZ
-----END PGP SIGNATURE-----
More information about the squid-dev
mailing list