Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: consider removing support for signing with RSA-MD5 #42125

Closed
rolandshoemaker opened this issue Oct 21, 2020 · 5 comments
Closed

crypto/x509: consider removing support for signing with RSA-MD5 #42125

rolandshoemaker opened this issue Oct 21, 2020 · 5 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.19

Comments

@rolandshoemaker
Copy link
Member

MD5 is very broken, which is why we don't implement support for verifying certificates that use the RSA-MD5 (MD5WithRSA) signature algorithm. We do still support signing new certificates with RSA-MD5 though, which is not ideal as it introduces some inconsistency around how we handle certificates (i.e. see https://go-review.googlesource.com/c/go/+/264019).

Presumably we still provide support because at some point in the past there were still some users of RSA-MD5 certificates, and we're only allowing them to create broken certificates rather than verifying them (and thus relying on them). Unless there are still significant use cases I'd suggest we just completely axe support for this broken signature algorithm, reducing our support burden, and hopefully further dissuading anyone from making a serious mistake in their choice of algorithms.
@rolandshoemaker rolandshoemaker added this to the Backlog milestone Oct 21, 2020
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 21, 2020
@ALTree ALTree added the Proposal-Crypto Proposal related to crypto packages or other security issues label Oct 21, 2020
@gopherbot
Copy link

Change https://golang.org/cl/285872 mentions this issue: crypto/x509: disable signing with MD5WithRSA

@FiloSottile FiloSottile modified the milestones: Backlog, Go1.17 Mar 17, 2021
@katiehockman katiehockman removed the Proposal-Crypto Proposal related to crypto packages or other security issues label Apr 26, 2021
@katiehockman
Copy link
Contributor

Removed Proposal-Crypto label since this doesn't need to go through the proposal committee.

@mknyszek mknyszek modified the milestones: Go1.17, Go1.18 Aug 18, 2021
@ianlancetaylor
Copy link
Contributor

@rolandshoemaker This is in the Go 1.18 milestone. What is the status of this for the 1.18 release? Thanks.

@rolandshoemaker
Copy link
Member Author

We decided to pre-announce this in 1.18, and disable it in 1.19, I've moved it to the right milestone.

@rolandshoemaker rolandshoemaker modified the milestones: Go1.18, Go1.19 Nov 17, 2021
@gopherbot
Copy link

Change https://go.dev/cl/391174 mentions this issue: _content/doc/go1.18: preannounce x509 md5 deprecation

gopherbot pushed a commit to golang/website that referenced this issue Mar 14, 2022
@rolandshoemaker @FiloSottile
_content/doc/go1.18: preannounce x509 md5/sha1 deprecation
67d6dac 
Pre-announce the removal of certificate signing with MD5 and SHA-1
based algs in 1.19.

Updates golang/go#42125

Change-Id: I78784f3182b1d33ce6271621abd6c35cd668d93c
Reviewed-on: https://go-review.googlesource.com/c/website/+/391174
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Trust: Dmitri Shuralyov <dmitshur@google.com>
passionSeven added a commit to passionSeven/website that referenced this issue Oct 18, 2022
@passionSeven
_content/doc/go1.18: preannounce x509 md5/sha1 deprecation
a7ab291 
Pre-announce the removal of certificate signing with MD5 and SHA-1
based algs in 1.19.

Updates golang/go#42125

Change-Id: I78784f3182b1d33ce6271621abd6c35cd668d93c
Reviewed-on: https://go-review.googlesource.com/c/website/+/391174
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Trust: Dmitri Shuralyov <dmitshur@google.com>
@golang golang locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.19
Development

No branches or pull requests
8 participants
@cagedmantis @FiloSottile @mknyszek @ianlancetaylor @ALTree @rolandshoemaker @gopherbot @katiehockman