Changeset c67643b in mod_gnutls


Ignore:
Timestamp:
Jul 10, 2021, 11:02:27 AM (3 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
b8e9e11
Parents:
3020716
git-author:
Fiona Klute <fiona.klute@…> (07/10/21 10:34:33)
git-committer:
Fiona Klute <fiona.klute@…> (07/10/21 11:02:27)
Message:

SHA1 for issuer name hash and issuer key hash in OCSP requests

Some CAs (notably Let's Encrypt) support only SHA1. Support for that
is required by RFC 5019 [1] and referenced in CAB Forum Baseline
Requirements, too. This particular hash doesn't need to be
cryptographically secure, so switching to SHA1 is the simplest
solution.

[1] https://datatracker.ietf.org/doc/html/rfc5019#section-2.1.1

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r3020716 rc67643b  
    197197    }
    198198
    199     /* GnuTLS doc says that the digest is "normally"
    200      * GNUTLS_DIG_SHA1. */
    201     ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
     199    /* Use SHA1 for issuer name hash and issuer key hash, for
     200     * compliance with "lightweight" OCSP profile specified in RFC
     201     * 5019. */
     202    ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA1,
    202203                                   issuer, req_data->cert);
    203204
Note: See TracChangeset for help on using the changeset viewer.