Updating SSL keys on fedoraproject.org 2011-03-10
Petr Pisar
ppisar at redhat.com
Fri Mar 11 08:20:33 UTC 2011
On 2011-03-10, Robert Relyea <rrelyea at redhat.com> wrote:
> SHA-1 is also used in the certificate. That, in theory, doesn't require
> TLS 1.2, though only TLS 1.2 includes protocol to tell servers what
> hashing algorithms the clients support, so in a strict sense only TLS
> tells you whether or not it's safe to use a cert with something other
> than SHA-1 or MD5. Most modern browers will support SHA-2 algorithms in
> the certificate (even when using SSL3, to TLS 1.x). The notable
> exceptions is verisons of Windows older than Windows XP service patch 3,
> and several older phones.
>
That's the hash usage I refered. I was amazed the certificate signature
algorithm is RSAwithSHA1. As it was said this does not dependend on TLS
version.
> Many CA's are apparently starting to move SHA-256 roots this year,
> mostly driven by NIST standards.
>
This year? In Europe we are over. All quallified CA's are forbiden to
issue SHA-1 certificates since begin of 2010.
-- Petr
More information about the devel
mailing list