On 10/07/2017 18:52, Viktor Dukhovni wrote:
On Jul 10, 2017, at 3:45 AM, Niklas Keller <me@xxxxxxxxxxx> wrote: What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}?Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the next year or two. While Google has demonstrated a SHA-1 collision, that proof of concept is far from a practical attack. The simplest solution is to let the CAs solve the problem as SHA-1 certificates fade out of the picture. You can if you wish leave out from the set of trusted roots any CAs that have not yet stopped issuing SHA-1 certificates. You can of course implement a verify callback that inspects each certificate in the chain, and triggers an error when its signature is SHA-1 and it is not the last one in the chain. This requires keeping some state attached to the X509 store context, and I don't think is worth the effort. See code involving "TLScontext_index" in: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L318 https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L942 https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_verify.c#L163 With such a context, you can keep track of the maximum depth seen by the callback, and reject SHA-1 at lower depths. I do not recommend doing this.
I don't think a state is really needed for this, if the callback simply checks if the certificate is in the loaded trust collection, and/or if it is self-signed (depending on the application's chosen root CA trust model). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
