- 
                Notifications
    You must be signed in to change notification settings 
- Fork 744
Description
Problem:
SHA1 seems to be the only OCSP digest supported by s2n: https://github.com/aws/s2n-tls/blob/main/tls/s2n_x509_validator.c#L473-L478
However, the support for SHA1 in OCSP is a bit outdated. The latest OCSP RFC states that it's mandatory for clients that request OCSP services to be able to process responses signed using SHA-256.
Proposed Solution:
Update OCSP digest support to handle SHA-256.
- 
Does this change what S2N sends over the wire? No 
- 
Does this change any public APIs? No 
- 
Which versions of TLS will this impact? N/A 
- 
RFC links: - Old OCSP RFC: https://datatracker.ietf.org/doc/html/rfc2560#section-4.3
- Latest OCSP RFC: https://datatracker.ietf.org/doc/html/rfc6960#section-4.3
 
- 
Related Issues: https://shufflesharding.com/posts/improving-security-in-s2n 
- 
Will the Usage Guide or other documentation need to be updated? 
- 
Testing: Would need to update s2n unit tests to test against OCSP responses signed using SHA-256, along with new OCSP test files. - Will this change trigger SAW changes? Not sure
- Should this change be fuzz tested? Not sure