[openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
Resolved now. OpenSSL no longer uses MD5 in the supported signature algorithms list. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
Rather than dropping it from the list, another option would be to re-prioritize the list. Given MD5 is weak, it should be at the end of the ClientHello signature algorithms extensions. This would facilitate backwards compatibility, while improving the security posture when communicating with peers that support SHA-2 algorithms. Some may argue that SHA1 should be near the end of the list as well. On 06/02/2013 02:11 PM, Kurt Roeckx via RT wrote: Hi, It seems that tls12_get_req_sig_algs() sends that MD5 is a supported signature algorithm, except in that case of FIPS. Would it make sense to drop MD5 from that list? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org attachment: foleyj.vcf
Re: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
Rather than dropping it from the list, another option would be to re-prioritize the list. Given MD5 is weak, it should be at the end of the ClientHello signature algorithms extensions. This would facilitate backwards compatibility, while improving the security posture when communicating with peers that support SHA-2 algorithms. Some may argue that SHA1 should be near the end of the list as well. On 06/02/2013 02:11 PM, Kurt Roeckx via RT wrote: Hi, It seems that tls12_get_req_sig_algs() sends that MD5 is a supported signature algorithm, except in that case of FIPS. Would it make sense to drop MD5 from that list? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org inline: foleyj.vcf
RE: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
It's a general problem; what if the client list contains stronger ciphers but they appear after the weaker ones? We modified code so that the server side can have its own ordered list, and it will search through that list from what the client offers. If I can get the patches released, is there any interest? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
On Mon, Jun 03, 2013, Salz, Rich wrote: It's a general problem; what if the client list contains stronger ciphers but they appear after the weaker ones? We modified code so that the server side can have its own ordered list, and it will search through that list from what the client offers. If I can get the patches released, is there any interest? That's already supported in OpenSSL 1.0.2-dev and the master branch. Client and server can set signature algorithm preference lists which can be used to select the appropriate signature algorithm to use. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
Way cool! -- Principal Security Engineer Akamai Technology Cambridge, MA -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Monday, June 03, 2013 9:08 AM To: openssl-dev@openssl.org Cc: k...@roeckx.be Subject: Re: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5 On Mon, Jun 03, 2013, Salz, Rich wrote: It's a general problem; what if the client list contains stronger ciphers but they appear after the weaker ones? We modified code so that the server side can have its own ordered list, and it will search through that list from what the client offers. If I can get the patches released, is there any interest? That's already supported in OpenSSL 1.0.2-dev and the master branch. Client and server can set signature algorithm preference lists which can be used to select the appropriate signature algorithm to use. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
On Mon, Jun 03, 2013 at 07:25:24AM -0400, John Foley wrote: Rather than dropping it from the list, another option would be to re-prioritize the list. Given MD5 is weak, it should be at the end of the ClientHello signature algorithms extensions. This would facilitate backwards compatibility, while improving the security posture when communicating with peers that support SHA-2 algorithms. Please note that this is about a CertificateRequest in TLS 1.2. The server gives a list of acceptable signature algorithms, in it's prefered order. MD5 is already last in that list. It's my understanding that if you drop MD5 from that list, you will stop accepting client certificates that use MD5, which really is what I want to do. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
On Mon, Jun 03, 2013 at 07:25:24AM -0400, John Foley wrote: Rather than dropping it from the list, another option would be to re-prioritize the list. Given MD5 is weak, it should be at the end of the ClientHello signature algorithms extensions. This would facilitate backwards compatibility, while improving the security posture when communicating with peers that support SHA-2 algorithms. Please note that this is about a CertificateRequest in TLS 1.2. The server gives a list of acceptable signature algorithms, in it's prefered order. MD5 is already last in that list. It's my understanding that if you drop MD5 from that list, you will stop accepting client certificates that use MD5, which really is what I want to do. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3059] TLS 1.2 CertificateRequests allows MD5
Hi, It seems that tls12_get_req_sig_algs() sends that MD5 is a supported signature algorithm, except in that case of FIPS. Would it make sense to drop MD5 from that list? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org