Sha256(or other algorithm) support for certbot ocsp validation

Hey guys, I am new to Certbot and was wondering why it always uses SHA1 to check certificates instead of a more secure algorithm. source code
I know it has better compatibility. However, is it feasible to add sha256(or other algorithm) support?

Also found a similar history commit.
Remove use of sha1 (#4271)

I believe Let's Encrypt (and other CAs) are implementing the so called lightweight OCSP profile from RFC 5019. Thus Certbot is "limited" by what OCSP profiles are implemented by CAs.

The usage of SHA1 with regard to Let's Encrypt has been discussed earlier, see OCSP Responder support for SHA2 hashes in CertID - #2 by JamesLE and the linked thread there at Support mod_gnutls with Apache - #47 by aarongable and the Github issues linked in that post for more information.

8 Likes

Thanks for the kind reply!

3 Likes

It's worth noting that the hash function used in OCSP requests is a non-cryptographic hash: it's being used just to compute a unique-enough identifier, like an in-memory hash table.

10 Likes

However, this will trip AI based code analysis tools, and cause people to constantly bring this up, as organizations increasingly rely on garbage tech like this.

I haven't looked at the code, but it might make sense dropping a comment line about this.

(I use md5 for similar reasons in a few projects, and have gotten sick of this type of complaint)

3 Likes