Fedora 41 Will Make OpenSSL Distrust SHA1 Signatures By Default

Written by Michael Larabel in Fedora on 26 June 2024 at 05:51 AM EDT. 6 Comments
A change proposal has been approved for Fedora 41 to make OpenSSL distrust SHA1 signatures by default.

Due to collision attacks on SHA1 becoming increasingly possible and becoming ever more practical with increases in computing resources, Fedora's plan is to start blocking SHA1 signature creation and verification by default. This was previously proposed for Fedora back in 2022 as part of broader crypto changes but has now been revised -- and approved -- in current form just focusing on the SHA1 crypto tightening.

The Fedora 41 change proposal explains:
"This change, when discussed as part of the rejected Changes/StrongCryptoSettings3 , has proved itself controversial.

There seems to be a consensus that the change has to be done sooner or later, but Fedora is a remarkably conservative distribution when it comes to deprecating legacy cryptography, even if by-default-only.

The decision to discover code reliant on SHA-1 signatures by blocking creation/verification has not gathered many fans, but it's not like many viable alternative proposals have been raised in return either. In particular, there is no suitable facility to perform opt-out logging of the rejected operation. Opt-in logging through USDT probes has been implemented the last time and has been reinstated again to aid testing this change.

The precursor change has received limited testing during Fedora 37 Test Days, with only a handful of bugs discovered. The ones that were, though, wouldn't be something realistically discoverable by other means.

The change has received significant testing in RHEL, which distrusts SHA-1 signatures by default starting from RHEL-9. Having this switch flipped in RHEL for ~2 years further enforces our confidence in the change."

So with that, Fedora 41 is on track to finally distrust SHA1 signatures by default come late 2024.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week