Re: [openssl-users] Rejecting SHA-1 certificates
On 12/07/2017 07:23, Viktor Dukhovni wrote: On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: I don't think a state is really needed for this, if the callback simply checks if the certificate is in the loaded trust collection, and/or if it is self-signed (depending on the application's chosen root CA trust model). Yes, though that too is complicated, e.g. DANE-TA(2) validation often produces chains where none of the certs are in the local store or self-signed. And checking the trust stores for an exact match takes some care... The stateful approach is in some ways more elementary. Well, I guess that for DANE-TA, it would be OK to just insist on no SHA-1 in the chain at all. Given the limited abilities of (at least previous) versions of the OpenSSL chain validation/building code, just checking for self-signed would probably be good enough for now. Hopefully any future improved OpenSSL code (that checks all attributes currently ignored) would also provide a new callback prototype that receives extra information about the (OpenSSL internal) situation in which it was called, such as "called from TLS server checking received client cert, this is the end/middle/trusted cert in the candidate chain, and here is the SSL_CTX* for that connection". And with more sensibly named/defined callback return values too (such as "reject this cert, try another chain", "reject this cert, and all chains containing it", "abort the connection, never mind the certs", "accept this cert, despite the list of failed standard checks reported to the callback (perhaps shown to the user in a prompt)", "accept this cert and don't check the chain above it"). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Rejecting SHA-1 certificates
On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: > I don't think a state is really needed for this, if the callback > simply checks if the certificate is in the loaded trust collection, > and/or if it is self-signed (depending on the application's chosen > root CA trust model). Yes, though that too is complicated, e.g. DANE-TA(2) validation often produces chains where none of the certs are in the local store or self-signed. And checking the trust stores for an exact match takes some care... The stateful approach is in some ways more elementary. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Rejecting SHA-1 certificates
On 10/07/2017 18:52, Viktor Dukhovni wrote: On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}? Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the next year or two. While Google has demonstrated a SHA-1 collision, that proof of concept is far from a practical attack. The simplest solution is to let the CAs solve the problem as SHA-1 certificates fade out of the picture. You can if you wish leave out from the set of trusted roots any CAs that have not yet stopped issuing SHA-1 certificates. You can of course implement a verify callback that inspects each certificate in the chain, and triggers an error when its signature is SHA-1 and it is not the last one in the chain. This requires keeping some state attached to the X509 store context, and I don't think is worth the effort. See code involving "TLScontext_index" in: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L318 https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L942 https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_verify.c#L163 With such a context, you can keep track of the maximum depth seen by the callback, and reject SHA-1 at lower depths. I do not recommend doing this. I don't think a state is really needed for this, if the callback simply checks if the certificate is in the loaded trust collection, and/or if it is self-signed (depending on the application's chosen root CA trust model). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Rejecting SHA-1 certificates
> It's very well worth the effort, otherwise there's a security issue, because > certificates can be forged. No they cannot. What *has* been done is a document was created with "weak spots" and another document was created that changed those weak spots, but the digest was the same. This is a long long long way from creating two certificates with the same digest (and therefore the same signature). -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Issue with TLS1.3 and s_time
I'm having an issue with s_time and s_server using the latest OpenSSL (1.1.1-dev) and tls1_3. When I use tls1_2 connections are established and data is transferred. However, when I use tls1_3 data is not transferred (connections are established). Below are the commands I use for s_time and s_server.I provided the output when I used -tls1_2 vs. -tls1_3 on the server. Notice "bytes read 0" for TLS 1.3.(I tried this on the loopback as well as 2 separate boxes) Is this a known issue with s_time? This is the client: s_time -new -connect localhost:44330 -www /1M.txt -cipher ECDHE-RSA-AES256-GCM-SHA384:TLS13-AES-256-GCM-SHA384 This is the server: openssl s_server -key key.pem -cert cert.pem -accept 44330 -WWW -tls1_3 This is what I see with tls1_2: 1086 connections in 0.46s; 2360.87 connections/user sec, bytes read 51042 1086 connections in 2 real seconds, 47 bytes read per connection This is what I see with tls1_3: 17663 connections in 7.67s; 2302.87 connections/user sec, bytes read 0 17663 connections in 31 real seconds, 0 bytes read per connection -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to source code
yes i can do this. I do it as github issue then. I hope i find time this evening to do this otherwise tomorrow. Von: openssl-users im Auftrag von Richard Levitte Gesendet: Dienstag, 11. Juli 2017 09:19:04 An: openssl-users@openssl.org Betreff: Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to source code This all sounds a bit mysterious... would you mind sharing a test program that shows the problem, with detailed step by step instructions (among others what libraries you're running against each time)? Preferably as a github issue, but here is fine as well... Cheers, Richard In message on Mon, 10 Jul 2017 16:47:28 +, Matthias Ballreich said: Matthias.Ballreich> Yes, MY_NID is really NID_whatever. I tried it with putting Matthias.Ballreich> OPENSSL_init_crypto(0, NULL); at start of my main(). Matthias.Ballreich> Matthias.Ballreich> Did not make any difference… Matthias.Ballreich> Matthias.Ballreich> The Integer value of MY_NID will be printed out and is the correct Matthias.Ballreich> integer value. Matthias.Ballreich> Matthias.Ballreich> And i tried another thing. I replaced the two dll-libraries with the Matthias.Ballreich> new created ones and then i run my Code and there all will be printed Matthias.Ballreich> out correctly. BUT the whole time i used some older dll-libraries of Matthias.Ballreich> openssl, (1.1.0f) and for development i used the latest 1.1.1-dev and Matthias.Ballreich> then i build this, which has added a new x509 extension (Admission), Matthias.Ballreich> which has a new OID (NID_extX509Admission, etc.) and there the short Matthias.Ballreich> and long name will be printed out correctly after Building the Code. Matthias.Ballreich> So this is a Little bit strange. Matthias.Ballreich> Matthias.Ballreich> Or must i replace the dll-libraries every time i build the Code? But Matthias.Ballreich> when, why has it worked with the old ones and the 1.1.1-dev (master Matthias.Ballreich> branch)? Matthias.Ballreich> Matthias.Ballreich> Best regards Matthias.Ballreich> Matthias.Ballreich> Matthias Matthias.Ballreich> Matthias.Ballreich> Von: Richard Levitte Matthias.Ballreich> Gesendet: Montag, 10. Juli 2017 06:14 Matthias.Ballreich> An: openssl-users@openssl.org Matthias.Ballreich> Betreff: Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to Matthias.Ballreich> source code Matthias.Ballreich> Matthias.Ballreich> In message Matthias.Ballreich> Matthias.Ballreich> on Sat, 8 Jul 2017 23:31:00 +, Matthias Ballreich Matthias.Ballreich> said: Matthias.Ballreich> Matthias.Ballreich> matthias.ballreich> Hi there, Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> i want to contribute some more OIDs. Therefore i Matthias.Ballreich> added the OIDs inside Matthias.Ballreich> matthias.ballreich> the „Objects.txt“ inside /crypto/objects Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> Then i run these commands: Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> perl objects.pl objects.txt obj_mac.num . Matthias.Ballreich> matthias.ballreich> ./../include/openssl/obj_mac.h Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> perl obj_dat.pl ../../include/openssl/obj_mac.h Matthias.Ballreich> obj_dat.h Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> perl objxref.pl obj_mac.num obj_xref.txt > Matthias.Ballreich> obj_xref.h Matthias.Ballreich> Matthias.Ballreich> Sure, that looks fine to me Matthias.Ballreich> Matthias.Ballreich> matthias.ballreich> The files are generated / updated. Then i build Matthias.Ballreich> the source which Matthias.Ballreich> matthias.ballreich> builds fine without any exceptions. Then i tried Matthias.Ballreich> to use the generated Matthias.Ballreich> matthias.ballreich> NIDs in my Code. For test purposes i tried to Matthias.Ballreich> print out the short and Matthias.Ballreich> matthias.ballreich> Long Name of my new oid with OBJ_nid2sn(MY_NID) Matthias.Ballreich> and OBJ_nid2(MY_NID). Matthias.Ballreich> matthias.ballreich> But here it prints out an empty string. Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> When o try to use my NID with X509_get_ext_by_NID Matthias.Ballreich> (cert, MY_NID, -1) Matthias.Ballreich> matthias.ballreich> the Output is -2. Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> So where is the Problem or what i’m doing wrong Matthias.Ballreich> here? Thanks! Matthias.Ballreich> Matthias.Ballreich> If you've come that far, MY_NID (which I assume is really Matthias.Ballreich> NID_whatever) obviously exists, or your code wouldn't even have Matthias.Ballreich> compiled. One possibility remains, that for some reason, libcrypto Matthias.Ballreich> hasn't been initialised like it should. This can happen if you only Matthias.Ballreich> call a very select set of OpenSSL
Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to source code
This all sounds a bit mysterious... would you mind sharing a test program that shows the problem, with detailed step by step instructions (among others what libraries you're running against each time)? Preferably as a github issue, but here is fine as well... Cheers, Richard In message on Mon, 10 Jul 2017 16:47:28 +, Matthias Ballreich said: Matthias.Ballreich> Yes, MY_NID is really NID_whatever. I tried it with putting Matthias.Ballreich> OPENSSL_init_crypto(0, NULL); at start of my main(). Matthias.Ballreich> Matthias.Ballreich> Did not make any difference… Matthias.Ballreich> Matthias.Ballreich> The Integer value of MY_NID will be printed out and is the correct Matthias.Ballreich> integer value. Matthias.Ballreich> Matthias.Ballreich> And i tried another thing. I replaced the two dll-libraries with the Matthias.Ballreich> new created ones and then i run my Code and there all will be printed Matthias.Ballreich> out correctly. BUT the whole time i used some older dll-libraries of Matthias.Ballreich> openssl, (1.1.0f) and for development i used the latest 1.1.1-dev and Matthias.Ballreich> then i build this, which has added a new x509 extension (Admission), Matthias.Ballreich> which has a new OID (NID_extX509Admission, etc.) and there the short Matthias.Ballreich> and long name will be printed out correctly after Building the Code. Matthias.Ballreich> So this is a Little bit strange. Matthias.Ballreich> Matthias.Ballreich> Or must i replace the dll-libraries every time i build the Code? But Matthias.Ballreich> when, why has it worked with the old ones and the 1.1.1-dev (master Matthias.Ballreich> branch)? Matthias.Ballreich> Matthias.Ballreich> Best regards Matthias.Ballreich> Matthias.Ballreich> Matthias Matthias.Ballreich> Matthias.Ballreich> Von: Richard Levitte Matthias.Ballreich> Gesendet: Montag, 10. Juli 2017 06:14 Matthias.Ballreich> An: openssl-users@openssl.org Matthias.Ballreich> Betreff: Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to Matthias.Ballreich> source code Matthias.Ballreich> Matthias.Ballreich> In message Matthias.Ballreich> Matthias.Ballreich> on Sat, 8 Jul 2017 23:31:00 +, Matthias Ballreich Matthias.Ballreich> said: Matthias.Ballreich> Matthias.Ballreich> matthias.ballreich> Hi there, Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> i want to contribute some more OIDs. Therefore i Matthias.Ballreich> added the OIDs inside Matthias.Ballreich> matthias.ballreich> the „Objects.txt“ inside /crypto/objects Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> Then i run these commands: Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> perl objects.pl objects.txt obj_mac.num . Matthias.Ballreich> matthias.ballreich> ./../include/openssl/obj_mac.h Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> perl obj_dat.pl ../../include/openssl/obj_mac.h Matthias.Ballreich> obj_dat.h Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> perl objxref.pl obj_mac.num obj_xref.txt > Matthias.Ballreich> obj_xref.h Matthias.Ballreich> Matthias.Ballreich> Sure, that looks fine to me Matthias.Ballreich> Matthias.Ballreich> matthias.ballreich> The files are generated / updated. Then i build Matthias.Ballreich> the source which Matthias.Ballreich> matthias.ballreich> builds fine without any exceptions. Then i tried Matthias.Ballreich> to use the generated Matthias.Ballreich> matthias.ballreich> NIDs in my Code. For test purposes i tried to Matthias.Ballreich> print out the short and Matthias.Ballreich> matthias.ballreich> Long Name of my new oid with OBJ_nid2sn(MY_NID) Matthias.Ballreich> and OBJ_nid2(MY_NID). Matthias.Ballreich> matthias.ballreich> But here it prints out an empty string. Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> When o try to use my NID with X509_get_ext_by_NID Matthias.Ballreich> (cert, MY_NID, -1) Matthias.Ballreich> matthias.ballreich> the Output is -2. Matthias.Ballreich> matthias.ballreich> Matthias.Ballreich> matthias.ballreich> So where is the Problem or what i’m doing wrong Matthias.Ballreich> here? Thanks! Matthias.Ballreich> Matthias.Ballreich> If you've come that far, MY_NID (which I assume is really Matthias.Ballreich> NID_whatever) obviously exists, or your code wouldn't even have Matthias.Ballreich> compiled. One possibility remains, that for some reason, libcrypto Matthias.Ballreich> hasn't been initialised like it should. This can happen if you only Matthias.Ballreich> call a very select set of OpenSSL functions. What happens if you add Matthias.Ballreich> this at the start of your main()? Matthias.Ballreich> Matthias.Ballreich> OPENSSL_init_crypto(0, NULL); Matthias.Ballreich> Matthias.Ballreich> (note, that should be seen as a temporary measure, as this is called Matthias.Ballreich> internally in quite a number of spots, so for