[LEDE-DEV] [PATCH] mbedtls: Re-allow SHA1-signed certificates

Hauke Mehrtens hauke at hauke-m.de
Fri Aug 4 09:37:07 PDT 2017


On 07/30/2017 05:57 PM, Baptiste Jonglez wrote:
> From: Baptiste Jonglez <git at bitsofnetworks.org>
> 
> Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
> This breaks openvpn clients that try to connect to servers that
> present a TLS certificate signed with SHA1, which is fairly common.
> 
> Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
> 
> Fixes: FS#942
> 
> Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>

I agree to put this into LEDE 17.01 and the master branch for now.

There are probably a lot of old certificates out there that are still in
use and are SHA1. As the public CAs are not issuing any SHA1
certificates any more and creating a own certificate and not just
modifying an existing is certificate is harder, I think there is no big
security problem here.

If nobody disagrees I would merge this in one week.

Hauke



More information about the Lede-dev mailing list