[LEDE-DEV] [PATCH] mbedtls: Re-allow SHA1-signed certificates
Hauke Mehrtens
hauke at hauke-m.de
Fri Aug 4 09:37:07 PDT 2017
On 07/30/2017 05:57 PM, Baptiste Jonglez wrote:
> From: Baptiste Jonglez <git at bitsofnetworks.org>
>
> Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
> This breaks openvpn clients that try to connect to servers that
> present a TLS certificate signed with SHA1, which is fairly common.
>
> Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
>
> Fixes: FS#942
>
> Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
I agree to put this into LEDE 17.01 and the master branch for now.
There are probably a lot of old certificates out there that are still in
use and are SHA1. As the public CAs are not issuing any SHA1
certificates any more and creating a own certificate and not just
modifying an existing is certificate is harder, I think there is no big
security problem here.
If nobody disagrees I would merge this in one week.
Hauke
More information about the Lede-dev
mailing list