diff options
author | Martin Sucha <git@mm.ms47.eu> | 2019-09-01 12:11:59 +0300 |
---|---|---|
committer | Michael Schuster <michael@schuster.ms> | 2019-09-04 23:06:12 +0300 |
commit | 3e6422a88993ff71abc1cffa89ff3c22ae841374 (patch) | |
tree | 777a90986e03be59fd1e43c078a302ed7913282d /src/gui/sslerrordialog.cpp | |
parent | 0cb1f4d14b1aae7e46bf7c25d1509a6bfee983fd (diff) |
Use newer digest algorithms in TLS error dialog
MD5 has been broken for a long time now and SHA1 has been
deprecated as well. SHA1 is not used when issuing new
publicly trusted certificates since 1 January 2016[1] and
there are more and more effective attacks[2][3] against it,
so display SHA1 fingerprint only for old certificates
to encourage use of safer digests by users.
So, we display SHA-256 and SHA-512 fingerprints instead in
the common case.
[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.5.pdf
[2] https://shattered.io/static/shattered.pdf
[3] https://eprint.iacr.org/2019/459.pdf
Signed-off-by: Martin Sucha <git@mm.ms47.eu>
Diffstat (limited to 'src/gui/sslerrordialog.cpp')
-rw-r--r-- | src/gui/sslerrordialog.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/gui/sslerrordialog.cpp b/src/gui/sslerrordialog.cpp index 8b6350efa..814a7b0af 100644 --- a/src/gui/sslerrordialog.cpp +++ b/src/gui/sslerrordialog.cpp @@ -184,10 +184,15 @@ QString SslErrorDialog::certDiv(QSslCertificate cert) const msg += QL("<p>"); - QString md5sum = Utility::formatFingerprint(cert.digest(QCryptographicHash::Md5).toHex()); - QString sha1sum = Utility::formatFingerprint(cert.digest(QCryptographicHash::Sha1).toHex()); - msg += tr("Fingerprint (MD5): <tt>%1</tt>").arg(md5sum) + QL("<br/>"); - msg += tr("Fingerprint (SHA1): <tt>%1</tt>").arg(sha1sum) + QL("<br/>"); + if (cert.effectiveDate() < QDateTime(QDate(2016, 1, 1), QTime(), Qt::UTC)) { + QString sha1sum = Utility::formatFingerprint(cert.digest(QCryptographicHash::Sha1).toHex()); + msg += tr("Fingerprint (SHA1): <tt>%1</tt>").arg(sha1sum) + QL("<br/>"); + } + + QString sha256sum = Utility::formatFingerprint(cert.digest(QCryptographicHash::Sha256).toHex()); + QString sha512sum = Utility::formatFingerprint(cert.digest(QCryptographicHash::Sha512).toHex()); + msg += tr("Fingerprint (SHA-256): <tt>%1</tt>").arg(sha256sum) + QL("<br/>"); + msg += tr("Fingerprint (SHA-512): <tt>%1</tt>").arg(sha512sum) + QL("<br/>"); msg += QL("<br/>"); msg += tr("Effective Date: %1").arg(cert.effectiveDate().toString()) + QL("<br/>"); msg += tr("Expiration Date: %1").arg(cert.expiryDate().toString()) + QL("</p>"); |