By the CAs, so you don't need to take any action. With all the
trusted CAs no longer issuing SHA-1 certs, pretty soon all the
extant SHA-1 certs will expire, and there'll be nothing to
> So SHA1-signed certs < BAD!
Don't panic. SHA-1 has been tarnished and is being phased out,
but there are no practical near-term attacks on X.509. The the
browsers and CAs are driving it out of the ecosystem early,
which is a good idea, but there's no need for SMTP MTAs to
be part of the police squad deporting SHA-1.
> I don't *think* it does. And I don't find anything that says it does. Or doesn't , as far as that goes.
> In my postfix logs, I still see use of
> 0x00,0x39 - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> 0xC0,0x19 - AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
> 0xC0,0x14 - ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
> 0x00,0x3A - ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
> 0x00,0x35 - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> 0xC0,0x0A - ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
This is SHA-1 as a keyed MAC for TLS message integrity, not SHA-1
in certificates. No better MAC is available for TLS 1.0 and 1.1,
for SHA2 ciphersuites you need TLS 1.2, which has not yet driven
out its predecessors. SHA-1 as a keyed MAC (HMAC IIRC) is not
believed vulnerable to collision attacks.
> And in the HIGH + MEDIUM cipherlist I use in postfix,
> openssl ciphers -V 'HIGH:MEDIUM:' | grep SHA1 | wc -l
> there's still 40 ciphers with Mac=SHA1.
> Just wanted to verify if the problem is just with cert-signing, or a more
> general useage of SHA1 in any way, in the content of Postfix.
If there were a real problem, the onus to deprecate the weak code
points would be on OpenSSL and to some extent Postfix. As a user
you really should not be working so hard to optimize for security.
Indeed such efforts are often counterproductive. If you're doing
opportunistic TLS, then TLS gives you the strongest mutually
supported ciphersuite. Some security is better than none, if
you exclude weaker, but still widely best-available ciphers then
you get cleartext delivery instead.
Re: Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?
On Wed, Aug 2, 2017, at 11:01 AM, Viktor Dukhovni wrote:
> This is SHA-1 as a keyed MAC for TLS message integrity, not SHA-1
> in certificates.
> No better MAC is available for TLS 1.0 and 1.1,
> for SHA2 ciphersuites you need TLS 1.2, which has not yet driven
> out its predecessors.
That settles it in any case. I leave it alone.
> SHA-1 as a keyed MAC (HMAC IIRC) is not
> believed vulnerable to collision attacks.
Good to know
> If there were a real problem, the onus to deprecate the weak code
> points would be on OpenSSL and to some extent Postfix. As a user
> you really should not be working so hard to optimize for security.
I'll keep it up to understand it. Happy to use defaults as long as I understand them and the implications.
Wouldn't be the first time there was an "onus" on somebody to do something, and it wasn't.
Trust but verify!
> If you're doing opportunistic TLS
For this project, I'm not as of this morning. Switched to Mandatory TLS.
Now just working on getting a good understanding of what's what when using it.