[PATCH] Don't auto-generate SHA1 certificates any more

Andrew Bartlett abartlet at samba.org
Wed Aug 9 19:18:46 UTC 2017

On Wed, 2017-08-09 at 09:05 -0400, Simo wrote:
> On Wed, 2017-08-09 at 17:01 +1200, Andrew Bartlett via samba-technical
> wrote:
> > Samba's self-signed certificates are meant to be replaced by proper
> > certificates, but few people do that. 
> > 
> > Either way, we shouldn't use SHA1.  It has been on the 'do not use'
> > list for quite some time now. 
> > 
> > If someone can review this into master, I would then like to backport
> > it to supported releases. 
> Maybe we should leave them to use SHA1 so that it becomes overly clear
> that people should replace them ?

No.  They are fine for trust-on-first-use kind of operations.  Having
it this way just causes trouble with auditors and likely library-level
refusal in the future. 


The default security mechanisms within the software produced by the 
project SHOULD NOT depend on cryptographic algorithms or modes with 
known serious weaknesses (e.g., the SHA-1 cryptographic hash algorithm 
or the CBC mode in SSH).


There is no good reason to autogenerate these certificates with SHA1
when a simple code change can bring it to a supported standard. 

We describe well how to get real certificate here:


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list