php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66833 Default disgest algo is still MD5
Submitted: 2014-03-06 11:42 UTC Modified: -
From: remi@php.net Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 5.4.25 OS: GNU/LInux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: remi@php.net
New email:
PHP Version: OS:

 

 [2014-03-06 11:42 UTC] remi@php.net
Description:
------------
Default disgest  algo is still MD5, which means we can generate digest which are rejected on some recent openssl version (at least RHEL-7 and Fedora 21).

Proposal: switch to sha256 (sha1 is also now considered as unsecure)





Patches

openssl-defaultmd-sha1.patch (last revision 2014-03-06 12:24 UTC by remi@php.net)
openssl-defaultmd.patch (last revision 2014-03-06 11:42 UTC by remi)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-06 11:43 UTC] remi@php.net
This change will allow to revert workaround added in
http://git.php.net/?p=php-src.git;a=commitdiff;h=721b9a7c8dbe52cd3f0d2ac69b8eb9c78a0721c9
 [2014-03-06 11:49 UTC] remi@php.net
To be considered: there are still widely used legacy applications that cannot verify signatures that use sha256.
 [2014-03-06 12:24 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: openssl-defaultmd-sha1.patch
Revision:   1394108650
URL:        https://bugs.php.net/patch-display.php?bug=66833&patch=openssl-defaultmd-sha1.patch&revision=1394108650
 [2014-03-06 12:53 UTC] remi@php.net
After a deeper analysis:

Most PHP users will rely on system configuration (so sha1 or sha256 on modern distro)

So this only affects user which use a non-default configuration, without default_md option (as in the ext/openssl/tests/bug36732.phpt test).

So switch to EVP_sha1() seems the simple solution, less risky, and will match recent openssl library hardcoded value (sha256 is only set in the provided configuration).
 [2014-03-14 08:53 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5
 [2014-03-14 08:53 UTC] remi@php.net
-Status: Open +Status: Closed
 [2014-03-14 11:26 UTC] ab@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5
 [2014-03-14 11:35 UTC] ab@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5
 [2014-04-10 04:47 UTC] tyrael@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5
 [2014-10-07 23:27 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=17f6391bf8bc5e0e74ea981c795455a18826ed35
Log: Fixed Bug #66833 Default digest algo is still MD5
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 04 02:01:28 2024 UTC