Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: reject SHA-1 signatures in Verify #41682

Closed
FiloSottile opened this issue Sep 28, 2020 · 42 comments
Closed

crypto/x509: reject SHA-1 signatures in Verify #41682

FiloSottile opened this issue Sep 28, 2020 · 42 comments
Assignees
Labels
NeedsFix The path to resolution is known, but the work has not been done. Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues release-blocker Security
Milestone

Comments

@FiloSottile
Copy link
Contributor

FiloSottile commented Sep 28, 2020

SHA-1 is weak: a SHA-1 collision was demonstrated and estimated to cost around $50k. https://shattered.io

Accepting SHA-1 signed certificates is a security issue, and lets attackers mount collision attacks if the CA is still signing SHA-1 certificates. crypto/x509 already rejects outright any MD5 signatures for the same reason.

The WebPKI has banned SHA-1 certificates for years now, and crypto/x509 targets a profile compatible with the WebPKI.

I propose we announce in Go 1.17 that we'll remove support in Go 1.18, and provide a GODEBUG opt-out until Go 1.19.

@FiloSottile FiloSottile added Security NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Sep 28, 2020
@FiloSottile FiloSottile added this to the Backlog milestone Sep 28, 2020
@FiloSottile FiloSottile modified the milestones: Backlog, Go1.17 Oct 20, 2020
@FiloSottile

This comment has been minimized.

@FiloSottile FiloSottile self-assigned this Mar 17, 2021
@FiloSottile FiloSottile changed the title crypto/x509: stop verifying SHA-1 signatures proposal: crypto/x509: stop verifying SHA-1 signatures Apr 7, 2021
@FiloSottile FiloSottile added the Proposal-Crypto Proposal related to crypto packages or other security issues label Apr 7, 2021
@rsc
Copy link
Contributor

rsc commented Apr 7, 2021

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@ianlancetaylor

This comment has been minimized.

@rsc
Copy link
Contributor

rsc commented Apr 14, 2021

How many of the ancient servers being discussed in #45428 are serving SHA-1 signatures?

@FiloSottile
Copy link
Contributor Author

SHA-1 in crypto/x509 is unrelated to crypto/tls, except to the extent that if you're running a legacy stack you're more likely to have both components be out of date. You can serve a SHA-1 certificate over TLS 1.3, if you felt like it.

There are no publicly trusted SHA-1 certificates anymore, so we pretty much have no numbers about them. (Well, we do, and they say zero, but they don't capture internal deployments.) Anyone using them is doing it with their own managed CA.

@rsc rsc changed the title proposal: crypto/x509: stop verifying SHA-1 signatures proposal: crypto/x509: reject SHA-1 signatures in Verify Apr 21, 2021
@rsc
Copy link
Contributor

rsc commented Apr 21, 2021

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented Apr 28, 2021

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: crypto/x509: reject SHA-1 signatures in Verify crypto/x509: reject SHA-1 signatures in Verify Apr 28, 2021
@FiloSottile
Copy link
Contributor Author

https://golang.org/cl/327811 has the pre-announcement, moving to Go 1.18 for implementation.

@FiloSottile FiloSottile modified the milestones: Go1.17, Go1.18 Jun 15, 2021
@FiloSottile FiloSottile removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Proposal-FinalCommentPeriod labels Jun 15, 2021
istio-testing pushed a commit to istio-testing/istio that referenced this issue Nov 28, 2022
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
istio-testing pushed a commit to istio-testing/istio that referenced this issue Nov 28, 2022
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
istio-testing pushed a commit to istio-testing/istio that referenced this issue Nov 28, 2022
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
istio-testing added a commit to istio/istio that referenced this issue Nov 28, 2022
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/

Co-authored-by: Jacob Delgado <[email protected]>
istio-testing added a commit to istio/istio that referenced this issue Nov 28, 2022
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/

Co-authored-by: Jacob Delgado <[email protected]>
istio-testing added a commit to istio/istio that referenced this issue Nov 28, 2022
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/

Co-authored-by: Jacob Delgado <[email protected]>
andrew-d pushed a commit to tailscale/go that referenced this issue Dec 7, 2022
…wing SHA1 certificates

This allows programs that want SHA1 support to call os.Setenv at startup
instead of insisting that users set the environment variable themselves.

For golang#41682.
Fixes golang#56436.
Fixes golang#56438.

Change-Id: Idcb96212a1d8c560e1dd8eaf7c80b6266f16431e
Reviewed-on: https://go-review.googlesource.com/c/go/+/445496
Reviewed-by: David Chase <[email protected]>
Run-TryBot: Russ Cox <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Russ Cox <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/445655
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/629676 mentions this issue: crypto/x509: remove x509sha1 GODEBUG

@dmitshur dmitshur modified the milestones: Backlog, Go1.24 Nov 19, 2024
@dmitshur
Copy link
Contributor

@rolandshoemaker This is documented in godebug.md, but not in the Go 1.24 release notes. Do you think this should be documented there?

@rolandshoemaker
Copy link
Member

Ah yes, probably. Will add a note. Thanks!

@dmitshur
Copy link
Contributor

Thanks. Reopening this with a release blocker so it's tracked.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631677 mentions this issue: doc: add note about x5091sha removal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues release-blocker Security
Projects
Status: Accepted
Development

No branches or pull requests