From 5e0da6fb68446612844970be1e862f0e5bc25183 Mon Sep 17 00:00:00 2001 From: moneromooo-monero Date: Thu, 25 Apr 2019 16:35:27 +0000 Subject: change SSL certificate fingerprint whitelisting from SHA1 to SHA-256 SHA1 is too close to bruteforceable --- contrib/epee/include/net/net_ssl.h | 2 ++ contrib/epee/src/net_ssl.cpp | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'contrib') diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h index 957903ff8..5ef2ff59d 100644 --- a/contrib/epee/include/net/net_ssl.h +++ b/contrib/epee/include/net/net_ssl.h @@ -37,6 +37,8 @@ #include #include +#define SSL_FINGERPRINT_SIZE 32 + namespace epee { namespace net_utils diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 7bedb18ac..c17d86eca 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -321,7 +321,7 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const unsigned int size{ 0 }; // create the digest from the certificate - if (!X509_digest(cert, EVP_sha1(), digest.data(), &size)) { + if (!X509_digest(cert, EVP_sha256(), digest.data(), &size)) { MERROR("Failed to create certificate fingerprint"); return false; } -- cgit v1.2.3