Certificates are SHA1-signed by default

[foogod]

I just started looking into Forge and it looks potentially very useful, but I did notice something troubling.. It appears that (unless deliberately overridden) the X509 routines default to using SHA1 for signing certificates?

Given that SHA1 certificates are explicitly no longer acceptable by most web browsers (or other security-conscious applications), specifically because of long-known weaknesses in the SHA1 algorithm, Forge should not be using this as a default configuration.

(Most CAs these days have switched to SHA-256, though it could be argued SHA-512 would be a better choice, in general)

[dlongley]

+1, we should update the default to SHA-256, but we'll have to do a major version release (where "major" is 0.8 at this point since we're still under 1.0.)

[theogravity]

We ran into this issue just now - browser now throws NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM - was surprised it wasn't 256 by default, but SHA-1.

[davidlehn]

Yes, the world has become more strict and secure in this regard since the code was written. Patches that update default algorithms and key sizes to modern recommendations would be very welcome!

[aarond-sp]

With openssl 3.x, SHA-1 signed certificates are no longer supported by default.

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.

In TLS/SSL the default security level is 1. It can be set either using the cipher string with @SECLEVEL, or calling SSL_CTX_set_security_level(3). If the leaf certificate is signed with SHA-1, a call to SSL_CTX_use_certificate(3) will fail if the security level is not lowered first. Outside TLS/SSL, the default security level is -1 (effectively 0). It can be set using X509_VERIFY_PARAM_set_auth_level(3) or using the -auth_level options of the commands.

This should perhaps be looked at again.