2fdd24a Allow disabling of SHA1 signatures

Authored and Committed by clang 2 years ago
    Allow disabling of SHA1 signatures
    
    NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
    denying SHA1 signatures. On Fedora, the default is – for now – to allow
    SHA1 signatures.
    
    In order to phase out SHA1 signatures, introduce a new configuration
    option in the alg_section named 'rh-allow-sha1-signatures'. This option
    defaults to true. If set to false, any signature creation or
    verification operations that involve SHA1 as digest will fail.
    
    This also affects TLS, where the signature_algorithms extension of any
    ClientHello message sent by OpenSSL will no longer include signatures
    with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
    that request a client certificate, the same also applies for
    CertificateRequest messages sent by them.
    
    (cherry picked from commit 432cfa2baa8db94abf0daa9821a42ef40723e3c0)
    
    Resolves: rhbz#2070977
    Resolves: rhbz#2071615
    Related: rhbz#2031742, rhbz#2062640
    Signed-off-by: Clemens Lang <cllang@redhat.com>
    
        
file modified
+13 -1