Standard default policy requires disabling SHA-1 but the application requires SHA-1 crypto policy
Environment
- Red Hat Enterprise Linux
- 8.x
Issue
- Use case: as per engineering standard default policy requires disabling
SHA-1 but the application requires SHA-1 so how to configure it ?
Resolution
- To enable SHA-1 It is necessary to create a pmod file for example below.
# cat /etc/crypto-policies/policies/modules/SHA1TLS10.pmod
hash = +SHA1
sign = +*-SHA1
sha1_in_certs = 1
protocol@tls = +TLS1.1 +TLS1.0
# update-crypto-policies --set DEFAULT:NO-SHA1:SHA1TLS10
There is only workaround applying a custom pmod file to use DEFAULT:NO-SHA1:SHA1TLS10 like the above example instead of standard "DEFAULT:NO-SHA1".
Note: We recommend you ideally to update your application to accept SHA-256 or more stronger algorithms, because SHA-1 is no longer considered secure due to vulnerabilities that allow for collision attacks, which could potentially compromise the integrity of the data. Many organizations and standards have moved away from using SHA-1 in favor of more secure algorithms like SHA-256.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments