Use SHA256 Hash for Key Fingerprints #214
Comments
|
Definitely should move. I was thinking of switching to base64 and sha256,
then we wouldn’t need a prefix, just a valid base64 check, and hex would
fallback to md5 for legacy support
…On Tue, 10 Nov 2020 at 12:28 am Simon Rüegg ***@***.***> wrote:
How would you feel about using the SHA256 hash instead of the current MD5
to calculate public key fingerprints?
https://github.com/jpillora/chisel/blob/v1.7.2/share/ccrypto/keys.go#L35
To remain backward compatible we could add a sha256: prefix to new
fingerprints and evaluate old fingerprints (without the prefix) still as
md5 hashes (at least until a new major version would allow the breaking
change).
References regarding MD5 deprecation:
-
https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#214>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAE2X47NJHJKNILLJG54ZJDSO7U6NANCNFSM4TPK6ENA>
.
|
srueg
added a commit
to srueg/chisel
that referenced
this issue
Nov 9, 2020
Closes jpillora#214 Signed-off-by: Simon Rüegg <simon@rueggs.ch>
|
I started implementing a PR for this but realized that this would break the feature of providing only a partial fingerprint in the clients
|
|
I went with option 1 in PR #215 |
lmvlmv
added a commit
to lmvlmv/chisel
that referenced
this issue
Jan 5, 2021
* Use SHA256 hashes for key fingerprints Closes jpillora#214 Signed-off-by: Simon Rüegg <simon@rueggs.ch> * Update client to fall-back to MD5 fingerprints Signed-off-by: Simon Rüegg <simon@rueggs.ch> * help goes to stdout and exits with 0, remove incorrect versioning from help * document udp, log client connection failures, expose more settings via env-vars * go dropped support for mips64p32, ppc, s390 * chisel client uses CHISEL_KEY to generate fingerprint for validation * Update README.md * Fewer archs * Restrict allowed URLs, Allow localhost variants for tests (#2) * ALlow localhost variants for tests * Remove unnecessary comment * Unnecessary + * regex tweak Co-authored-by: Leon Verrall <lverrall@slb.com> * Extend config object in test Co-authored-by: Simon Rüegg <simon@rueggs.ch> Co-authored-by: Jaime Pillora <dev@jpillora.com> Co-authored-by: Leon Verrall <lverrall@slb.com>
lmvlmv
added a commit
to lmvlmv/chisel
that referenced
this issue
May 18, 2021
* Use SHA256 hashes for key fingerprints Closes jpillora#214 Signed-off-by: Simon Rüegg <simon@rueggs.ch> * Update client to fall-back to MD5 fingerprints Signed-off-by: Simon Rüegg <simon@rueggs.ch> * help goes to stdout and exits with 0, remove incorrect versioning from help * document udp, log client connection failures, expose more settings via env-vars * go dropped support for mips64p32, ppc, s390 * chisel client uses CHISEL_KEY to generate fingerprint for validation * Update README.md * Fewer archs * Restrict allowed URLs, Allow localhost variants for tests (#2) * ALlow localhost variants for tests * Remove unnecessary comment * Unnecessary + * regex tweak Co-authored-by: Leon Verrall <lverrall@slb.com> * Extend config object in test Co-authored-by: Simon Rüegg <simon@rueggs.ch> Co-authored-by: Jaime Pillora <dev@jpillora.com> Co-authored-by: Leon Verrall <lverrall@slb.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How would you feel about using the
SHA256hash instead of the currentMD5to calculate public key fingerprints?https://github.com/jpillora/chisel/blob/v1.7.2/share/ccrypto/keys.go#L35
To remain backward compatible we could add a
sha256:prefix to new fingerprints and evaluate old fingerprints (without the prefix) still as md5 hashes (at least until a new major version would allow the breaking change).References regarding MD5 deprecation:
The text was updated successfully, but these errors were encountered: