Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19676

Update the RSA Crypto script service to use SHA256 instead of SHA1 for certificate signature

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.10.5
    • Fix Version/s: 14.3.1, 14.4-rc-1, 13.10.6
    • Component/s: Crypto
    • Labels:
      None
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Similar issues:

      Description

      Since September 2021, OpenSSL in version 3.0.0 discards by default certificates signed using SHA1, as techniques have been found to create collisions on SHA1 signatures.

      In order to continue using SHA1-signed certificates, end users have to configure their OpenSSL installation to lower its security level, which will also allow other less-securely signed certificates to be validated by OpenSSL (this issue talks about it).

      In XWiki, we use SHA1 with RSA to sign certificates with the crypto APIs by default, this task is about switching to a more robust hashing algorithm.

      Looking at what is done outside, it seems that SHA256-signed certificates have become the norm, and are now used by Let's Encrypt.

        Attachments

          Activity

            People

            Assignee:
            caubin Clément Aubin
            Reporter:
            caubin Clément Aubin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: