Project

General

Profile

Actions

Feature #18272

closed

Please replace unsafe SHA1 with another digest algorithm

Added by pvalena (Pavel Valena) 11 months ago. Updated 10 months ago.

Status:
Third Party's Issue
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:105823]

Description

Context

When working on a new version of RHEL (with Ruby 3.0), the requirement is to have a better security (remove unsafe digests or limit the use for non-security purposes). This would be achieved with using OpenSSL 3.0 as well, which will have a raised security level by default, forbidding the use of unsafe digests.

Issue

SHA-1 does not conform to the security requirements, and its replacement would be preferred.
A quote from the discussion (the Bug is marked as internal):

SHA-1 is still possible to use for non-security use cases, but it we should try to prevent their use for signatures if possible. The Python took a way to prevent this using non-mandatory argument usedforsecurity=True to the constructor, which lets the programmers to indicate their intention explicitly and policy-makers to verify no SHA1 is used in security context. [1]

[1] https://docs.python.org/3/library/hashlib.html#hashlib.new

Question

AFAICT in Ruby it is used for non-security purposes only. Could you confirm that?

Possible solution

The use for non-security purposes might be indicated with setting an internal variable, which would allow the use of SHA-1 (although forbidden via OpenSSL setting). Do you think this would be possible?

Additional information

The failing tests upon SHA-1 removal in Ruby 3.0.2: https://gist.github.com/pvalena/9a053c5585329b595e2bff504198eba5


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #18356: Please replace use of unsafe MD5 with another digest algorithmThird Party's IssueActions
Actions

Also available in: Atom PDF