[PATCH] Don't auto-generate SHA1 certificates any more
Andrew Bartlett
abartlet at samba.org
Wed Aug 9 19:18:46 UTC 2017
On Wed, 2017-08-09 at 09:05 -0400, Simo wrote:
> On Wed, 2017-08-09 at 17:01 +1200, Andrew Bartlett via samba-technical
> wrote:
> > Samba's self-signed certificates are meant to be replaced by proper
> > certificates, but few people do that.
> >
> > Either way, we shouldn't use SHA1. It has been on the 'do not use'
> > list for quite some time now.
> >
> > If someone can review this into master, I would then like to backport
> > it to supported releases.
>
> Maybe we should leave them to use SHA1 so that it becomes overly clear
> that people should replace them ?
No. They are fine for trust-on-first-use kind of operations. Having
it this way just causes trouble with auditors and likely library-level
refusal in the future.
eg:
The default security mechanisms within the software produced by the
project SHOULD NOT depend on cryptographic algorithms or modes with
known serious weaknesses (e.g., the SHA-1 cryptographic hash algorithm
or the CBC mode in SSH).
https://bestpractices.coreinfrastructure.org/projects/200#security
There is no good reason to autogenerate these certificates with SHA1
when a simple code change can bring it to a supported standard.
We describe well how to get real certificate here:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list