)]}' { "commit": "72f7e21087aaf38c781de3e659ccf13f0735de27", "tree": "ba959ab145003f004ade897887cb524598103d29", "parents": [ "5fa8f5bc9adccb701bda1fc78ce93280a304e258" ], "author": { "name": "David Benjamin", "email": "davidben@chromium.org", "time": "Fri Jan 29 15:28:58 2016 -0500" }, "committer": { "name": "Adam Langley", "email": "agl@google.com", "time": "Fri Jan 29 21:30:00 2016 +0000" }, "message": "Stop allowing SHA-224 in TLS 1.2.\n\nTake the mappings for MD5 and SHA-224 values out of the code altogether. This\naligns with the current TLS 1.3 draft.\n\nFor MD5, this is a no-op. It is not currently possible to configure accepted\nsignature algorithms, MD5 wasn\u0027t in the hardcoded list, and we already had a\ntest ensuring we enforced our preferences correctly. MD5 also wasn\u0027t in the\ndefault list of hashes our keys could sign and no one overrides it with a\ndifferent hash.\n\nFor SHA-224, this is not quite a no-op. The hardcoded accepted signature\nalgorithms list included SHA-224, so this will break servers relying on that.\nHowever, Chrome\u0027s metrics have zero data points of servers picking SHA-224 and\nno other major browser includes it. Thus that should be safe.\n\nSHA-224 was also in the default list of hashes we are willing to sign. For\nclient certificates, Chromium\u0027s abstractions already did not allow signing\nSHA-224, so this is a no-op there. For servers, this will break any clients\nwhich only accept SHA-224. But no major browsers do this and I am not aware of\nany client implementation which does such ridiculous thing.\n\n(SHA-1\u0027s still in there. Getting rid of that one is going to take more effort.)\n\nChange-Id: I6a765fdeea9e19348e409d58a0eac770b318e599\nReviewed-on: https://boringssl-review.googlesource.com/7020\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "7a336f17ef4566b7fa4484347b70683ad8951c95", "old_mode": 33188, "old_path": "ssl/t1_lib.c", "new_id": "decf5fc532e4495780f2a3e2251e22d928cd56ea", "new_mode": 33188, "new_path": "ssl/t1_lib.c" }, { "type": "modify", "old_id": "75f56ce632f2e78ca1bfe27e95e57b928edc9425", "old_mode": 33188, "old_path": "ssl/test/runner/runner.go", "new_id": "b74f66bb029800c60e8e402693962b667746bec9", "new_mode": 33188, "new_path": "ssl/test/runner/runner.go" } ] }