Openssl 3.5 FIPS and SHA-1

17 views
Skip to first unread message

Ken Goldman

unread,
Jan 19, 2026, 6:55:12 PMJan 19
to openss...@openssl.org
Looking at

https://docs.openssl.org/3.5/man7/OSSL_PROVIDER-FIPS/#approved-algorithms

I see SHA-1 on the list. Is SHA-1 really approved?



Martin Bonner

unread,
Jan 20, 2026, 3:13:42 AMJan 20
to Ken Goldman, openss...@openssl.org

Yes.  See https://csrc.nist.gov/projects/cryptographic-module-validation-program/sp-800-140-series-supplemental-information/sp800-140c .

 

SHA-1 is still approved for situations where security requires pre-image resistance (given a fixed message M, it is hard to find another message M1 such that Hash(M1) == Hash(M).  An alternative, slightly weaker formulation, is given a fixed value V, it is hard to find a message M1 such that Hash(M1) == V). 

 

The problem with SHA-1 is that it is not collision resistant (it is known how to find two values M1, M2 such that Hash(M1) == Hash(M2)).  Note that the difference with collision resistance, is that the attacker gets to choose both messages.  Collision resistance is the property you want for a hash which is used to digest a message before signing.

 

Collision resistance implies pre-image resistance, and when building a protocol the safe rule of thumb is to use an algorithm which is collision resistant (SHA-2/SHA-3) just in case collision resistance is the property you need.  However if you have an existing protocol, careful analysis may show it is still currently secure

 

 

Martin Bonner

 

 

From: openss...@openssl.org <openss...@openssl.org> On Behalf Of Ken Goldman
Sent: 19 January 2026 23:52
To: openss...@openssl.org
Subject: [EXTERNAL] Openssl 3.5 FIPS and SHA-1

 

Looking at https://urldefense.com/v3/__https://docs.openssl.org/3.5/man7/OSSL_PROVIDER-FIPS/*approved-algorithms__;Iw!!FJ-Y8qCqXTj2!dEDWcfZHH1HIbrmQ8PLFovSXwvQSkAlk3hMHhPo1uGlLk2xfVJPMBlD3_mbHF8p_EDDZd3OZ5IaHJbdq0-Qg$ I see SHA-1 on the list.

Looking at
 
https://urldefense.com/v3/__https://docs.openssl.org/3.5/man7/OSSL_PROVIDER-FIPS/*approved-algorithms__;Iw!!FJ-Y8qCqXTj2!dEDWcfZHH1HIbrmQ8PLFovSXwvQSkAlk3hMHhPo1uGlLk2xfVJPMBlD3_mbHF8p_EDDZd3OZ5IaHJbdq0-Qg$
 
I see SHA-1 on the list. Is SHA-1 really approved?
 
 
 
-- 
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://urldefense.com/v3/__https://groups.google.com/a/openssl.org/d/msgid/openssl-users/10kmg30*2484v*242*40ciao.gmane.io__;JSUl!!FJ-Y8qCqXTj2!dEDWcfZHH1HIbrmQ8PLFovSXwvQSkAlk3hMHhPo1uGlLk2xfVJPMBlD3_mbHF8p_EDDZd3OZ5IaHJXkEJRNp$.
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Ken Goldman

unread,
Jan 20, 2026, 4:32:36 PMJan 20
to openss...@openssl.org
Is the answer, then, that SHA-1 is expected to be in the fips provider?

On 1/20/2026 3:13 AM, 'Martin Bonner' via openssl-users wrote:
> Yes.  See https://csrc.nist.gov/projects/cryptographic-module-
> validation-program/sp-800-140-series-supplemental-information/sp800-140c
> <https://csrc.nist.gov/projects/cryptographic-module-validation-program/
> sp-800-140-series-supplemental-information/sp800-140c> .
>
> SHA-1 is still approved for situations where security requires pre-image
> resistance (given a fixed message M, it is hard to find another message
> M1 such that Hash(M1) == Hash(M). An alternative, slightly weaker
> formulation, is given a fixed value V, it is hard to find a message M1
> such that Hash(M1) == V).
>
> The problem with SHA-1 is that it is not collision resistant (it is
> known how to find two values M1, M2 such that Hash(M1) == Hash(M2)).
> Note that the difference with collision resistance, is that the attacker
> gets to choose /both/ messages.  Collision resistance is the property
> you want for a hash which is used to digest a message before signing.
>
> Collision resistance implies pre-image resistance, and when building a
> protocol the safe rule of thumb is to use an algorithm which is
> collision resistant (SHA-2/SHA-3) just in case collision resistance is
> the property you need.  However if you have an existing protocol,
> careful analysis may show it is still currently secure
>
> Martin Bonner
>
> *From:*openss...@openssl.org <openssl-
> us...@openssl.org> *On Behalf Of *Ken Goldman
> *Sent:* 19 January 2026 23:52
> *To:* openss...@openssl.org
> *Subject:* [EXTERNAL] Openssl 3.5 FIPS and SHA-1
>
> Looking at https: //urldefense. com/v3/__https: //docs. openssl. org/3. 
> 5/man7/OSSL_PROVIDER-FIPS/*approved-algorithms__;Iw!!FJ-Y8qCqXTj2!
> dEDWcfZHH1HIbrmQ8PLFovSXwvQSkAlk3hMHhPo1uGlLk2xfVJPMBlD3_mbHF8p_EDDZd3OZ5IaHJbdq0-Qg$ I see SHA-1 on the list. 
>
> Looking at
>
> https://urldefense.com/v3/__https://docs.openssl.org/3.5/man7/
> OSSL_PROVIDER-FIPS/*approved-algorithms__;Iw!!FJ-Y8qCqXTj2!
> dEDWcfZHH1HIbrmQ8PLFovSXwvQSkAlk3hMHhPo1uGlLk2xfVJPMBlD3_mbHF8p_EDDZd3OZ5IaHJbdq0-Qg$ <https://urldefense.com/v3/__https:/docs.openssl.org/3.5/man7/OSSL_PROVIDER-FIPS/*approved-algorithms__;Iw!!FJ-Y8qCqXTj2!dEDWcfZHH1HIbrmQ8PLFovSXwvQSkAlk3hMHhPo1uGlLk2xfVJPMBlD3_mbHF8p_EDDZd3OZ5IaHJbdq0-Qg$>

Tomas Mraz

unread,
Jan 21, 2026, 6:58:14 AMJan 21
to Ken Goldman, openss...@openssl.org
Yes, SHA-1 is and should be in the FIPS provider for now.

Tomas Mraz, Chief Technology Officer, OpenSSL Foundation
--
Tomáš Mráz, Chief Technology Officer, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/


Reply all
Reply to author
Forward
0 new messages