1. 14 Oct, 2020 3 commits
    • Michael Catanzaro's avatar
      ci: stop hacking the crypto policy · 88707ad2
      Michael Catanzaro authored
      We no longer need to allow legacy crypto.
      88707ad2
    • Michael Catanzaro's avatar
      Stop using SHA-1 signatures for root certificates · db1a0852
      Michael Catanzaro authored
      SHA-1 is still allowed for certificates that are trust roots, but it is
      NOT allowed for the "alternative" CA certificate sent in the chain,
      because that alternative certificate is not a trust root, even though it
      has the same public key as a trust root. So we can no longer use SHA-1
      in ca-alternative.pem, though it's still allowed in ca.pem. Both
      certificates are constructed from the same .conf, so we either need to
      use separate .conf or change them both. Changing them both is easier. We
      have no compelling reason to test whether SHA-1 is allowed on trust
      roots here; we can expect GnuTLS and OpenSSL to do that in their
      testsuites.
      
      Interestingly, only GnuTLS rejects SHA-1 on the alternative CA
      certificate with F33 crypto policy. OpenSSL allows it. I guess the
      OpenSSL behavior seems reasonable, because there should be no security
      risk to allowing SHA-1 signatures for a certificate that has the same
      public key as a trust root. If the owner of the corresponding private
      key is not trusted, then it should not have any certificates installed
      as trust roots.
      
      Fixes #140
      db1a0852
    • Michael Catanzaro's avatar
      Upgrade test certificates to RSA-2048 · 53272dab
      Michael Catanzaro authored
      RSA-1024 is now blocked by Fedora 33 system policy.
      
      This exposes an embarassing mistake. Browsers blocked RSA-1024 five
      years ago. It is surprising that it was not blocked before now.
      53272dab
  2. 13 Oct, 2020 1 commit
  3. 12 Oct, 2020 1 commit
  4. 22 Sep, 2020 1 commit
  5. 17 Sep, 2020 2 commits
  6. 15 Sep, 2020 4 commits
  7. 14 Sep, 2020 1 commit
  8. 13 Sep, 2020 1 commit
  9. 12 Sep, 2020 1 commit
  10. 11 Sep, 2020 2 commits
  11. 10 Sep, 2020 1 commit
  12. 09 Sep, 2020 1 commit
  13. 07 Sep, 2020 1 commit
  14. 06 Sep, 2020 2 commits
  15. 04 Sep, 2020 10 commits
  16. 01 Sep, 2020 8 commits