> On Jun 20, 2018, at 12:47 PM, Matt Caswell <matt@xxxxxxxxxxx> wrote: > > An OpenSSL client will enforce that the ServerKeyExchange signature is > consistent with the sig algs that it sent. It does *not* enforce that > the server's certificate signatures are consistent with those sig algs. > I don't think there is any equivalent of the server's "-strict" to > switch this checking on. > > Note that in TLSv1.3 there are actually *two* sig algs extensions, i.e. > "signature_algorithms" and "signature_algorithms_cert". The latter > enables you to specify acceptable signature algorithms in a certificate > chain separately from signatures algorithms in the TLSv1.3 > CertificateVerify message. Right, certificate chain verification is the business of the X.509 code in libcrypto and lies entirely outside the SSL library. The SSL library sets the "security level" establishing a baseline acceptable cryptographic strength, but otherwise, if your trusted CAs use particular signature algorithms (per CA/B Forum practices, ...) then you'll accept the algorithms they use. If some root CAs, or intermediate CAs to which they delegate authority, employ weak algorithms, your best bet is to not trust those CAs, they should not be using weak algorithms. TLS is not the best place to regulate (Web) PKI. At present libcrypto does not provide a fine-grained way to restrict which signature algorithms are acceptable for a particular invocation of X509_verify_cert(3). The "best" you can do is enable only the EVP algorithms you want when when initializing the OpenSSL library. I don't recall whether leaving some EVP algorithms uninitialized is still possible now that OpenSSL 1.1.x is doing automatic self-initialization. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
