oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: feedback requested regarding deprecation of TLS 1.0/1.1

From: Clemens Lang <cllang () redhat com>
Date: Thu, 8 Aug 2024 12:51:35 +0200
Hello Steffen,


On 7. Aug 2024, at 22:16, Steffen Nurpmeso <steffen () sdaoden eu> wrote:

Isn't that terribly rhetorical, and can kill sheeps indeed.
To reiterate that SSL/TLS are standards, they had version
iterations, which possibly got around some real protocol problem.
These offer standardized sets of ciphersuites, some of those, of
the elder versions, are "no longer secure".  (I am no
cryptographer to tell whether they ever were completely so, or
whether there are "mathematical tricks" to get away without brute
force for them.  That aside.)  That is basically it.  But, as far
as i understand it, even TLSv1 supported forward-secrecy stuff, ie

 # openssl ciphers -v EECDH+AESGCM:EECDH+AES256:CHACHA20:!DHE

gives two members, and except for the SHA-1 MAC this looks pretty
modern.  But again: i am far from being an expert.


TLS < 1.2 only supports a single signature algorithm, which uses SHA1-MD5 as digest.
Only TLS >= 1.2 supports the signature_algorithms extension to negotiate modern digests.

MD-5 is fully broken. SHA-1 is questionable. Their combination may withstand attacks a little bit longer, but probably 
not by much.

The MAC is actually fine, since it’s HMAC with SHA-1, which isn’t as affected by a SHA-1 collision attack [1].


  [1]: https://security.stackexchange.com/questions/187866/why-aren-t-collisions-important-with-hmac


-- 
Clemens Lang
RHEL Crypto Team
Red Hat
Previous By Date Next
Previous By Thread Next

Current thread: