[openssl-dev] [openssl.org #4496] [PATCH] ssl_cert: use the recommended minimum hash from RFC 5480 for EC

Matt Caswell via RT rt at openssl.org
Tue Jun 7 19:22:00 UTC 2016 

On Sat Apr 02 14:05:50 2016, sebastian at breakpoint.cc wrote:
> A TLS1.2 connetion with openssl server and gnutls-cli using a
> SECP384R1
> key ends up with SHA256 as the hash algorithm for signing the key
> exchange.
> This is because gnutls sends the hash algorithms from weak to strong
> and by default client's preference is used.
>
> gnutls complains about this situation:
> |<1>| The hash size used in signature (32) is less than the expected
> (48)

Really gnutls should not offer algorithms that it is not prepared to accept.

Also if sha256 with p256 is considered acceptable security, why wouldn't sha256
with p384 be?

OpenSSL is obeying RFC5246 7.4.1.4.1:

   Each SignatureAndHashAlgorithm value lists a single hash/signature
   pair that the client is willing to verify.  The values are indicated
   in descending order of preference.

So I don't think this is an OpenSSL bug. Closing this ticket.

Matt

>
> The complaint is based on the recommendation in RFC 5480, section 4.
> Security Considerations. There two ways to fix it:
> - Using
> -sigalgs
> "ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA256:ECDSA+SHA224:ECDSA+SHA1"
> -serverpref
> The weaker algorithms
>
> - The following patch which eliminates SHA256+SHA224 from the list of
> possible candidates. SHA1 is still available if left out in -sigalgs
> and nothing else matches.
>
> Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
> ---
> ssl/ssl_cert.c | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
> index 4081ebe4ffbd..7d00ad3182f5 100644
> --- a/ssl/ssl_cert.c
> +++ b/ssl/ssl_cert.c
> @@ -1135,6 +1135,25 @@ static int ssl_security_default_callback(const
> SSL *s, const SSL_CTX *ctx, int o
> if (level >= 3)
> return 0;
> break;
> +#ifndef OPENSSL_NO_EC
> + case SSL_SECOP_SIGALG_SHARED:
> + if (s && s->cert && s->cert->key && s->cert->key->privatekey)
> {
> + EVP_PKEY *skey = s->cert->key->privatekey;
> +
> + /*
> + * RFC 5480 Section 4, Security Considerations.
> + * For a curve with keysize of 384 bits (secp384r1) we
> + * allow SHA-384 and higher
> + */
> + if (EVP_PKEY_id(skey) == EVP_PKEY_EC) {
> + if (EVP_PKEY_bits(skey) > (bits * 2))
> + return 0;
> + }
> + }
> + if (bits < minbits)
> + return 0;
> + break;
> +#endif
> default:
> if (bits < minbits)
> return 0;

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4496
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list