TYPO3 Core

Hello there,

as lined out in this article, SHA1 will soon be dropped from SSH since the standard is considered prone to collisions.

I think, since we are in an early phase of TYPO3 11 developments, it would be good to deprecate all methods and classes related to sha1 (or even md5 for that matter) that are still available in core.

1. TYPO3 uses the sha1 built-in PHP function 32 times, mentions "sha1" 35 as separate string (either array hash, value or function argument) thoughout the core (that's 10 more instances of sha1 being called and two instances less as a string mention than back in TYPO3 9.5)
2. TYPO3 also still uses md5 functions around 169 times (!) in the core
3. Cryptographically safer functions might create quite a strain on the servers running the new code (on my benchmarks, using hash('sha256' instead of sha1 was approximately 0.6% slower).

1. Ensure more cryptographically safe software
2. Get rid of really old code
3. (Bragging rights for being the first CMS to throw out all old and cryptographically unsafe functions from its core?)

Best Regards
Tizian