PHP :: Bug #66833 :: Default disgest algo is still MD5

Bug #66833	Default disgest algo is still MD5
Submitted:	2014-03-06 11:42 UTC	Modified:	-
From:	remi@php.net	Assigned:
Status:	Closed	Package:	OpenSSL related
PHP Version:	5.4.25	OS:	GNU/LInux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	remi@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-03-06 11:42 UTC] remi@php.net

Description:
------------
Default disgest  algo is still MD5, which means we can generate digest which are rejected on some recent openssl version (at least RHEL-7 and Fedora 21).

Proposal: switch to sha256 (sha1 is also now considered as unsecure)

Patches

openssl-defaultmd-sha1.patch (last revision 2014-03-06 12:24 UTC by remi@php.net)
openssl-defaultmd.patch (last revision 2014-03-06 11:42 UTC by remi)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-03-06 11:43 UTC] remi@php.net

This change will allow to revert workaround added in
http://git.php.net/?p=php-src.git;a=commitdiff;h=721b9a7c8dbe52cd3f0d2ac69b8eb9c78a0721c9

[2014-03-06 11:49 UTC] remi@php.net

To be considered: there are still widely used legacy applications that cannot verify signatures that use sha256.

[2014-03-06 12:24 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: openssl-defaultmd-sha1.patch
Revision:   1394108650
URL:        https://bugs.php.net/patch-display.php?bug=66833&patch=openssl-defaultmd-sha1.patch&revision=1394108650

[2014-03-06 12:53 UTC] remi@php.net

After a deeper analysis:

Most PHP users will rely on system configuration (so sha1 or sha256 on modern distro)

So this only affects user which use a non-default configuration, without default_md option (as in the ext/openssl/tests/bug36732.phpt test).

So switch to EVP_sha1() seems the simple solution, less risky, and will match recent openssl library hardcoded value (sha256 is only set in the provided configuration).

[2014-03-14 08:53 UTC] remi@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5

[2014-03-14 08:53 UTC] remi@php.net

-Status: Open +Status: Closed

[2014-03-14 11:26 UTC] ab@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5

[2014-03-14 11:35 UTC] ab@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5

[2014-04-10 04:47 UTC] tyrael@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5

[2014-10-07 23:15 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC