Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move away from 'crypto/sha1' for AWS Sign Requests #1757

Closed
davissp14 opened this issue Aug 12, 2019 · 2 comments
Closed

Move away from 'crypto/sha1' for AWS Sign Requests #1757

davissp14 opened this issue Aug 12, 2019 · 2 comments

Comments

@davissp14
Copy link

davissp14 commented Aug 12, 2019
edited
Loading

SHA1 has been deemed unsafe for a while now. The use of HMAC-SHA1 is a little better, we should look to move to SHA2 or SHA3 for better security.

Describe the solution you'd like
Move to SHA2 or SHA3

https://github.ibm.com/ibm-cloud-databases/velero/blob/6513e8f30e8314f2188159b3472fd627a9bd2619/pkg/cloudprovider/aws/v1_sign_request_handler.go#L21
@skriss
Copy link
Contributor

skriss commented Aug 13, 2019

@davissp14 the v1 signature handler you're referencing is not the default. #998 will give you some more context on why that exists. v4 is used by default.

@skriss
Copy link
Contributor

skriss commented Aug 23, 2019

Closing this out as the default signing method is v4 which uses SHA-2, and the v1 handler is around for backwards compatibility for other providers and is opt-in only.

@skriss skriss closed this as completed Aug 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davissp14 @skriss