[PATCH] Don't auto-generate SHA1 certificates any more

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] Don't auto-generate SHA1 certificates any more

Samba - samba-technical mailing list
Samba's self-signed certificates are meant to be replaced by proper
certificates, but few people do that.

Either way, we shouldn't use SHA1.  It has been on the 'do not use'
list for quite some time now.

If someone can review this into master, I would then like to backport
it to supported releases.

Thanks,

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba




0001-s4-lib-tls-Use-SHA256-to-sign-the-TLS-certificates.patch.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Don't auto-generate SHA1 certificates any more

Samba - samba-technical mailing list
On Wed, 2017-08-09 at 17:01 +1200, Andrew Bartlett via samba-technical
wrote:
> Samba's self-signed certificates are meant to be replaced by proper
> certificates, but few people do that. 
>
> Either way, we shouldn't use SHA1.  It has been on the 'do not use'
> list for quite some time now. 
>
> If someone can review this into master, I would then like to backport
> it to supported releases. 

Maybe we should leave them to use SHA1 so that it becomes overly clear
that people should replace them ?

Simo.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Don't auto-generate SHA1 certificates any more

Samba - samba-technical mailing list
On Wed, 2017-08-09 at 09:05 -0400, Simo wrote:

> On Wed, 2017-08-09 at 17:01 +1200, Andrew Bartlett via samba-technical
> wrote:
> > Samba's self-signed certificates are meant to be replaced by proper
> > certificates, but few people do that. 
> >
> > Either way, we shouldn't use SHA1.  It has been on the 'do not use'
> > list for quite some time now. 
> >
> > If someone can review this into master, I would then like to backport
> > it to supported releases. 
>
> Maybe we should leave them to use SHA1 so that it becomes overly clear
> that people should replace them ?

No.  They are fine for trust-on-first-use kind of operations.  Having
it this way just causes trouble with auditors and likely library-level
refusal in the future.

eg:

The default security mechanisms within the software produced by the 
project SHOULD NOT depend on cryptographic algorithms or modes with 
known serious weaknesses (e.g., the SHA-1 cryptographic hash algorithm 
or the CBC mode in SSH).

https://bestpractices.coreinfrastructure.org/projects/200#security

There is no good reason to autogenerate these certificates with SHA1
when a simple code change can bring it to a supported standard.

We describe well how to get real certificate here:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Loading...