Function: nsm-protocol-check--sha1-sig
nsm-protocol-check--sha1-sig is a byte-compiled function defined in
nsm.el.gz.
Signature
(nsm-protocol-check--sha1-sig HOST PORT STATUS &optional SETTINGS)
Documentation
Check for SHA1 signatures on certificates.
The first SHA1 collision was found in 2017[1], as a precaution against the events following the discovery of cheap collisions in MD5, major browsers[2][3][4][5] have removed the use of SHA1 signatures in certificates.
References:
[1]: Stevens M, Karpman P et al (2017). "The first collision for
full SHA-1", https://shattered.io/static/shattered.pdf
[2]: Chromium Security Education TLS/SSL. "Deprecated and Removed
Features (SHA-1 Certificate Signatures)",
https://www.chromium.org/Home/chromium-security/education/tls#TOC-SHA-1-Certificate-Signatures
[3]: Jones J.C (2017). "The end of SHA-1 on the Public Web",
https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
[4]: Apple Support (2017). "Move to SHA-256 signed certificates to
avoid connection failures",
https://support.apple.com/en-gb/HT207459
[5]: Microsoft Security Advisory 4010323 (2017). "Deprecation of
SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer
11",
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4010323
Source Code
;; Defined in /usr/src/emacs/lisp/net/nsm.el.gz
;; Signature checks
(defun nsm-protocol-check--sha1-sig (_host _port status &optional _settings)
"Check for SHA1 signatures on certificates.
The first SHA1 collision was found in 2017[1], as a precaution
against the events following the discovery of cheap collisions in
MD5, major browsers[2][3][4][5] have removed the use of SHA1
signatures in certificates.
References:
[1]: Stevens M, Karpman P et al (2017). \"The first collision for
full SHA-1\", `https://shattered.io/static/shattered.pdf'
[2]: Chromium Security Education TLS/SSL. \"Deprecated and Removed
Features (SHA-1 Certificate Signatures)\",
`https://www.chromium.org/Home/chromium-security/education/tls#TOC-SHA-1-Certificate-Signatures'
[3]: Jones J.C (2017). \"The end of SHA-1 on the Public Web\",
`https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/'
[4]: Apple Support (2017). \"Move to SHA-256 signed certificates to
avoid connection failures\",
`https://support.apple.com/en-gb/HT207459'
[5]: Microsoft Security Advisory 4010323 (2017). \"Deprecation of
SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer
11\",
`https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4010323'"
(cl-loop for certificate in (plist-get status :certificates)
for algo = (plist-get certificate :signature-algorithm)
;; Don't check root certificates -- root is always trusted.
if (and (not (equal (plist-get certificate :issuer)
(plist-get certificate :subject)))
(string-match "\\bSHA1\\b" algo))
return (format-message
"SHA1 signature (%s) is prone to collisions"
algo)
end))