[openssl-users] Unexpected behaviors in TLS handshake

Jakob Bohm jb-openssl at wisemo.com
Wed Jun 20 19:44:15 UTC 2018

On 20/06/2018 19:31, Viktor Dukhovni wrote:
> If some root CAs, or intermediate CAs to which they delegate authority,
> employ weak algorithms, your best bet is to not trust those
> CAs, they should not be using weak algorithms.
> TLS is not the best place to regulate (Web) PKI.
I believe there is a fundamental concern, impossible to handle sanely
at the CA policy level, that a CA may reasonably have certificate
hierarchies targeting people with different maximum security strength
and/or living at different times within a root certificate lifespan

Thus it is reasonable for a particular TLS participant to dynamically
reject/ignore certificates weaker than it's own policies even if
issued by a root CA that has both strong and weak subtrees.

For example CA1 may, over time, have the following chains:

longtermCAroot ->
   OldIntermediary(signed-with-RSA2048-SHA1, expired or revoked) ->
     OldEECerts(all expired or revoked)

longtermCAroot ->
   crossSignedNewCAroot(signed-with-RSA2048-SHA256) ->
   NewIntermediary(signed-with-RSA4096-SHA256) ->
       CurrentEEcerts (all signed with RSA4096-SHA256)

NewIntermediary(signed-with-RSA4096-SHA256) ->
     CurrentEEcerts (all signed with RSA4096-SHA256)

longtermCAroot ->
   NeverIssuedIntermediary(falsified via SHA1 weakness) ->
     FakeCert (signed with RSA4096-SHA256).

By making a TLS library able to reject certificate chains
involving RSA-MD5 (or whatever else the run time configuration
chooses to distrust), it can protect its user against trusting
the NeverIssuedIntermediary and thus the FakeCert.

CA policy and the browser forum can only choose to accept or
refuse longtermCAroot entirely.  Trusting only the self-signed
variant of crossSignedNewCAroot won't work until that has been
distributed via secure channels and all needs to trust
longtermCAroot for other uses of the unified openSSL CA directory
have disappeared.

The scenario becomes even more complicated in cases when (due to
refusals to backport algorithms to older libraries), there are
real systems that cannot accept the latest state of the art
minimum algorithms, thus in turn requiring the ongoing issuance
of certificates with old algorithm chaining to CA roots trusted
by such older systems.

The above pattern of algorithm distrust can be expected to reccur
every few decades as new attacks are found or otherwise become viable.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list