<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> On Jul 10, 2017, at 3:45 AM, Niklas Keller <<a href="mailto:me@kelunik.com">me@kelunik.com</a>> wrote:<br>
><br>
><br>
> What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}?<br>
<br>
</span>Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the<br>
next year or two. While Google has demonstrated a SHA-1 collision, that proof of<br>
concept is far from a practical attack.<br></blockquote><div><br></div><div>Actually they should already be expired, all major browsers will reject them already, even Edge.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The simplest solution is to let the CAs solve the problem as SHA-1 certificates fade<br>
out of the picture. You can if you wish leave out from the set of trusted roots any<br>
CAs that have not yet stopped issuing SHA-1 certificates.<br></blockquote><div><br></div><div>CAs can't solve the problem that we accept certificates with weak signatures.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
You can of course implement a verify callback that inspects each certificate in the<br>
chain, and triggers an error when its signature is SHA-1 and it is not the last one<br>
in the chain. This requires keeping some state attached to the X509 store context,<br>
and I don't think is worth the effort.<br></blockquote><div><br></div><div>It's very well worth the effort, otherwise there's a security issue, because certificates can be forged.</div><div><br></div><div>Regards, Niklas</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
See code involving "TLScontext_index" in:<br>
<br>
<a href="https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L318" rel="noreferrer" target="_blank">https://github.com/vdukhovni/<wbr>postfix/blob/master/postfix/<wbr>src/tls/tls_client.c#L318</a><br>
<a href="https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L942" rel="noreferrer" target="_blank">https://github.com/vdukhovni/<wbr>postfix/blob/master/postfix/<wbr>src/tls/tls_client.c#L942</a><br>
<a href="https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_verify.c#L163" rel="noreferrer" target="_blank">https://github.com/vdukhovni/<wbr>postfix/blob/master/postfix/<wbr>src/tls/tls_verify.c#L163</a><br>
<br>
With such a context, you can keep track of the maximum depth seen by the callback,<br>
and reject SHA-1 at lower depths. I do not recommend doing this.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Viktor.<br>
<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</font></span></blockquote></div><br></div></div>