On Sun, Jun 9, 2024 at 11:22 AM Zbigniew Jędrzejewski-Szmek < zbyszek@in.waw.pl> wrote:
In https://fedoraproject.org/wiki/SHA1SignaturesGuidance:
At the moment, we don't provide a public API to enable SHA-1 signature support in OpenSSL programmatically. We ask you to respect the system administrator's configuration choice on this. We're planning to work with OpenSSL upstream to introduce a more suitable API in the future
Any news on this? Being able to make this policy configurable at application level would make things _much_ easier.
We don't plan to provide such an API, sorry. SHA1 is insecure. It should be eliminated from the crypto contexts _before_ a second-preimage attack starts to cost $0.02