[openssl] openssl-3.0 update

tomas at openssl.org tomas at openssl.org
Fri Oct 22 15:11:11 UTC 2021 

The branch openssl-3.0 has been updated
       via  4aa163a217aa428b324564db5b4dff2653ce26a4 (commit)
      from  b76422e708654663990b6f3b3ce85066ae05ad4a (commit)


- Log -----------------------------------------------------------------
commit 4aa163a217aa428b324564db5b4dff2653ce26a4
Author: Arne Schwabe <arne at rfc2549.org>
Date:   Wed Oct 13 15:16:58 2021 +0200

    Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1
    
    The exclusion of SHA1 for X509 signatures is not obvious as the "intuative"
    idea is that SHA1 should have 80 security bits. However the security bits
    of SHA1 are explicitly set to 63 to avoid the it being strong enough for
    security level 1. x509_set.c has the comment:
    
        /*
         * SHA1 and MD5 are known to be broken. Reduce security bits so that
         * they're no longer accepted at security level 1.
         * The real values don't really matter as long as they're lower than 80,
         * which is our security level 1.
         */
    
    Signed-off-by: Arne Schwabe <arne at rfc2549.org>
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16828)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/SSL_CTX_set_security_level.pod | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index 292d6a2333..fc1ff39246 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -77,7 +77,9 @@ parameters offering below 80 bits of security are excluded. As a result RSA,
 DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
 are prohibited. All export cipher suites are prohibited since they all offer
 less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
-using MD5 for the MAC is also prohibited.
+using MD5 for the MAC is also prohibited. Note that signatures using SHA1
+and MD5 are also forbidden at this level as they have less than 80 security
+bits.
 
 =item B<Level 2>
 
@@ -147,10 +149,11 @@ key size or the DH parameter size will abort the handshake with a fatal
 alert.
 
 Attempts to set certificates or parameters with insufficient security are
-also blocked. For example trying to set a certificate using a 512 bit RSA
-key using SSL_CTX_use_certificate() at level 1. Applications which do not
-check the return values for errors will misbehave: for example it might
-appear that a certificate is not set at all because it had been rejected.
+also blocked. For example trying to set a certificate using a 512 bit RSA key
+or a certificate with a signature with SHA1 digest at level 1 using
+SSL_CTX_use_certificate(). Applications which do not check the return values
+for errors will misbehave: for example it might appear that a certificate is
+not set at all because it had been rejected.
 
 =head1 RETURN VALUES

More information about the openssl-commits mailing list