Hey guys, I am new to Certbot and was wondering why it always uses SHA1 to check certificates instead of a more secure algorithm. source code
I know it has better compatibility. However, is it feasible to add sha256(or other algorithm) support?
Also found a similar history commit.
Remove use of sha1 (#4271)
I believe Let's Encrypt (and other CAs) are implementing the so called lightweight OCSP profile from RFC 5019. Thus Certbot is "limited" by what OCSP profiles are implemented by CAs.
The usage of SHA1 with regard to Let's Encrypt has been discussed earlier, see OCSP Responder support for SHA2 hashes in CertID - #2 by JamesLE and the linked thread there at Support mod_gnutls with Apache - #47 by aarongable and the Github issues linked in that post for more information.
Thanks for the kind reply!
It's worth noting that the hash function used in OCSP requests is a non-cryptographic hash: it's being used just to compute a unique-enough identifier, like an in-memory hash table.
However, this will trip AI based code analysis tools, and cause people to constantly bring this up, as organizations increasingly rely on garbage tech like this.
I haven't looked at the code, but it might make sense dropping a comment line about this.
(I use md5 for similar reasons in a few projects, and have gotten sick of this type of complaint)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.