target = "https://tools.ietf.org/rfc/rfc7627#6.2" # 6.2. Cryptographic Properties of the Hash Function # # The session hashes of two different sessions need to be distinct; # hence, the "Hash" function used to compute the "session_hash" needs # to be collision resistant. As such, hash functions such as MD5 or # SHA1 are NOT RECOMMENDED. # # We observe that the "Hash" function used in the Finished message # computation already needs to be collision resistant for the # renegotiation indication extension [RFC5746] to work, because a # meaningful collision on the handshake messages (and hence on the # "verify_data") may re-enable the renegotiation attack [Ray09]. # # The hash function used to compute the session hash depends on the TLS # protocol version. All current ciphersuites defined for TLS 1.2 use # SHA256 or better, and so does the session hash. For earlier versions # of the protocol, only MD5 and SHA1 can be assumed to be supported, # and this document does not require legacy implementations to add # support for new hash functions. In these versions, the session hash # uses the concatenation of MD5 and SHA1, as in the Finished message. [[spec]] level = "SHOULD" quote = ''' As such, hash functions such as MD5 or SHA1 are NOT RECOMMENDED. '''