Hey guys, I am new to Certbot and was wondering why it always uses SHA1 to check certificates instead of a more secure algorithm. source code
I know it has better compatibility. However, is it feasible to add sha256(or other algorithm) support?
Also found a similar history commit.
Remove use of sha1 (#4271)
I believe Let's Encrypt (and other CAs) are implementing the so called lightweight OCSP profile from RFC 5019. Thus Certbot is "limited" by what OCSP profiles are implemented by CAs.
It's worth noting that the hash function used in OCSP requests is a non-cryptographic hash: it's being used just to compute a unique-enough identifier, like an in-memory hash table.
However, this will trip AI based code analysis tools, and cause people to constantly bring this up, as organizations increasingly rely on garbage tech like this.
I haven't looked at the code, but it might make sense dropping a comment line about this.
(I use md5 for similar reasons in a few projects, and have gotten sick of this type of complaint)