Re: Rejecting SHA-1 certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Jul 10, 2017, at 3:45 AM, Niklas Keller <me@xxxxxxxxxxx> wrote:
> 
> 
> What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}?

Most CAs have stopped issuing SHA-1 certificates.  Any old ones will expire over the
next year or two.  While Google has demonstrated a SHA-1 collision, that proof of
concept is far from a practical attack.

The simplest solution is to let the CAs solve the problem as SHA-1 certificates fade
out of the picture.  You can if you wish leave out from the set of trusted roots any
CAs that have not yet stopped issuing SHA-1 certificates.

You can of course implement a verify callback that inspects each certificate in the
chain, and triggers an error when its signature is SHA-1 and it is not the last one
in the chain.  This requires keeping some state attached to the X509 store context,
and I don't think is worth the effort.

See code involving "TLScontext_index" in:

https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L318
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L942
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_verify.c#L163

With such a context, you can keep track of the maximum depth seen by the callback,
and reject SHA-1 at lower depths.  I do not recommend doing this.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux