New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distrust cert chains using legacy signature algorithms #1124
Comments
I'm not a practicing security guy but I think this seems sensible. :) |
So, here's some extra notes.
|
I suspect @reaperhulk has an idea about this answer. That said, didn't newer ones already default to shortest path verification? Isn't that how they fixed the certificates being signed by 1024 and 2048 bit keys? IOW, I would guess that something similar should work in this case. |
The default cipher suites were recently updated as part of TLS 1.3 support in #1496. I don't know enough to tell why we don't include |
I think we're going to rely on how OpenSSL is configured and evolves here, there's not much we can do to configure this since it was opened and still aren't any options. |
I think at a start, md5 should be blacklisted, and sha-1 generate a warning, with blacklisting in the coming months.
@Lukasa suggested that urllib3 was the correct place in the http-stack to do this.
The text was updated successfully, but these errors were encountered: