Feature #18272
closed
Please replace unsafe SHA1 with another digest algorithm
Description
Context¶
When working on a new version of RHEL (with Ruby 3.0), the requirement is to have a better security (remove unsafe digests or limit the use for non-security purposes). This would be achieved with using OpenSSL 3.0 as well, which will have a raised security level by default, forbidding the use of unsafe digests.
Issue¶
SHA-1 does not conform to the security requirements, and its replacement would be preferred.
A quote from the discussion (the Bug is marked as internal):
SHA-1 is still possible to use for non-security use cases, but it we should try to prevent their use for signatures if possible. The Python took a way to prevent this using non-mandatory argument usedforsecurity=True to the constructor, which lets the programmers to indicate their intention explicitly and policy-makers to verify no SHA1 is used in security context. [1]
[1] https://docs.python.org/3/library/hashlib.html#hashlib.new
Question¶
AFAICT in Ruby it is used for non-security purposes only. Could you confirm that?
Possible solution¶
The use for non-security purposes might be indicated with setting an internal variable, which would allow the use of SHA-1 (although forbidden via OpenSSL setting). Do you think this would be possible?
Additional information¶
The failing tests upon SHA-1 removal in Ruby 3.0.2: https://gist.github.com/pvalena/9a053c5585329b595e2bff504198eba5
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by