[openssl-users] Rejecting SHA-1 certificates

[Jakob Bohm]

On 10/07/2017 18:52, Viktor Dukhovni wrote:
>> On Jul 10, 2017, at 3:45 AM, Niklas Keller <me at kelunik.com> wrote:
>>
>>
>> What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}?
> Most CAs have stopped issuing SHA-1 certificates.  Any old ones will expire over the
> next year or two.  While Google has demonstrated a SHA-1 collision, that proof of
> concept is far from a practical attack.
>
> The simplest solution is to let the CAs solve the problem as SHA-1 certificates fade
> out of the picture.  You can if you wish leave out from the set of trusted roots any
> CAs that have not yet stopped issuing SHA-1 certificates.
>
> You can of course implement a verify callback that inspects each certificate in the
> chain, and triggers an error when its signature is SHA-1 and it is not the last one
> in the chain.  This requires keeping some state attached to the X509 store context,
> and I don't think is worth the effort.
>
> See code involving "TLScontext_index" in:
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L318
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L942
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_verify.c#L163
>
> With such a context, you can keep track of the maximum depth seen by the callback,
> and reject SHA-1 at lower depths.  I do not recommend doing this.
>
I don't think a state is really needed for this, if the callback
simply checks if the certificate is in the loaded trust collection,
and/or if it is self-signed (depending on the application's chosen
root CA trust model).


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded