[openssl-users] Unexpected behaviors in TLS handshake

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jun 20 21:07:56 UTC 2018

> On Jun 20, 2018, at 3:44 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
> I believe there is a fundamental concern, impossible to handle sanely
> at the CA policy level, that a CA may reasonably have certificate
> hierarchies targeting people with different maximum security strength
> and/or living at different times within a root certificate lifespan
> (decades).
> Thus it is reasonable for a particular TLS participant to dynamically
> reject/ignore certificates weaker than it's own policies even if
> issued by a root CA that has both strong and weak subtrees.

For that we have a coarse filter in the form of the security
level.  Thus MD5 is no longer accepted outside root CA self
signatures at the default security level 1 or higher.

One thing I forgot to mention is:


The callback interface is not yet documented, but it does allow
the application to bless or reject each algorithm for a particular

    void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex);
    void SSL_CTX_set_security_callback(SSL_CTX *ctx,
                                       int (*cb)(SSL *s, SSL_CTX *ctx, int op,
                                                 int bits, int nid,
                                                 void *other, void *ex));

When this is documented, users who really want low level
control would be able to accept or reject specific algorithms
for specific operations.

The "op" values of interest are:

   SSL_SECOP_EE_KEY   /* accept/reject an EE public key */
   SSL_SECOP_CA_KEY   /* accept/reject a CA public key */
   SSL_SECOP_CA_MD    /* accept/reject a CA hash algorithm */

If there is enough demand and contributor energy, this
interface could get documented, code examples provided, ...


More information about the openssl-users mailing list