Updating SSL keys on fedoraproject.org 2011-03-10
Robert Relyea
rrelyea at redhat.com
Thu Mar 10 21:22:10 UTC 2011
On 03/10/2011 09:17 AM, Stephen John Smoogen wrote:
> On Thu, Mar 10, 2011 at 01:07, Petr Pisar <ppisar at redhat.com> wrote:
>> On 2011-03-10, Stephen Smoogen <smooge at gmail.com> wrote:
>>> We have already updated fedorahosted.org and will now be updating the
>>> cert for the main site: fedoraproject.org.
>>>
>>> The old certificate came from Equifax, was a 1024 bit key and had the
>>> fingerprint:
>> [...]
>>> The new certificate is issued by GeoTrust, Inc and is a 4096 bit key
>>> with the fingerprint:
>>>
>> Key length is not everything. Didn't you forget to upgrade hash
>> algorithm? Sticking on SHA-1 that's been abandoned by ETSI and other
>> authorities does not look most safely.
> >From my research to use the SHA-2 in TLS requires the user and server
> to be both able to talk TLS-1.2. From what I found at wikipedia
> (http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does
> not support 1.2 (only Opera and IE8 do).
There are more than one usage for SHA-1/SHA-2. TLS uses SHA-1 as an
HMAC. SHA-1 is still strong for such use (though prudence would
encourage one to move off of SHA-1 even for this operation).
SHA-1 is also used in the certificate. That, in theory, doesn't require
TLS 1.2, though only TLS 1.2 includes protocol to tell servers what
hashing algorithms the clients support, so in a strict sense only TLS
tells you whether or not it's safe to use a cert with something other
than SHA-1 or MD5. Most modern browers will support SHA-2 algorithms in
the certificate (even when using SSL3, to TLS 1.x). The notable
exceptions is verisons of Windows older than Windows XP service patch 3,
and several older phones.
Many CA's are apparently starting to move SHA-256 roots this year,
mostly driven by NIST standards.
bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6014 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110310/375da134/attachment.bin
More information about the devel
mailing list