Remove SHA-1 in TLS by default

Default to forbidding the use of SHA-1 in TLS where it is unsafe: for certificate signing, and as the signature hash algorithm for the TLS 1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the XXX_SHA ciphersuites and in the PRF for TLS <= 1.1. For easy backward compatibility for use in controlled environments, turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2025-12-24 00:06:32 +01:00 · 2017-05-04 16:17:21 +02:00 · 2017-05-04 16:17:21 +02:00 · 5e79cb3662
commit 5e79cb3662
parent 23b33f8663
4 changed files with 25 additions and 4 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
    MBEDTLS_MD_SHA256,
    MBEDTLS_MD_SHA224,
 #endif
-#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
    MBEDTLS_MD_SHA1,
 #endif
    MBEDTLS_MD_NONE
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -85,9 +85,11 @@ static void mbedtls_zeroize( void *v, size_t n ) {
 */
 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
 {
-    /* Hashes from SHA-1 and above */
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
+    /* Allow SHA-1 (weak, but still safe in controlled environments) */
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
-    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
+#endif
+    /* Only SHA-2 hashes */
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |