On 23/02/2017 01:22, Steffan Karger wrote: > Hi James, > > On 22-02-17 19:48, James Yonan wrote: >> mbedTLS 2 has a new feature that allows rejection of certificates if the >> key size is too small or the signing hash is weak. >> >> The feature is controlled via struct mbedtls_x509_crt_profile. >> >> For example, you could specify that certificates must be at least 2048 >> bits and use a SHA-2 signing alg. >> >> Wondering if we should enable this via an option, or tie it into the >> existing tls-version-min. >> >> The granular approach would be to have specific options for each limit, >> such as ssl-min-key-size, ssl-require-sha2 >> >> The bundled approach would be to take an existing option such as >> tls-version-min and add additional constraints onto it. For example, if >> tls-version-min is 1.2 or higher, then also require minimum key size to >> be 2048 and certificate signing hash to be SHA-2. > OpenVPN 2.4 currently just uses mbed TLS' default profile, and we tell > people to use stronger keys (RSA 2048+ / ECDSA) or a stronger hash > function (SHA1+) if that causes trouble. > > If we are going to make this configurable, I think we should separate it > from tls-version-min. The main use case I see for using a lower > security setting would be an out-of-the-admins-control CA, or something > like (old) smart cards that don't support RSA-2048. I wouldn't want to > block people from enforcing TLS 1.2, because their smart card is crappy. > > So I think we'll have to add the relevant --tls-rsa-key-size-min, > --tls-curves (could replace --ecdh-curves), --tls-digests options. If > we want to make it configurable, that is.
I think it needs to be configurable to allow for transitions to stronger keys. For naming, how about --tls-rsa-key-size-min and --tls-cert-sign-min? For --tls-cert-sign-min, the choices could be "none" (anything allowed by the underlying SSL lib) or "sha2" (requiring sha256 or higher). Wondering what the defaults should be. James > > -Steffan > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel