[openssl-users] Unexpected behaviors in TLS handshake

Jakob Bohm jb-openssl at wisemo.com
Wed Jun 20 21:46:03 UTC 2018

On 20/06/2018 23:07, Viktor Dukhovni wrote:
>> On Jun 20, 2018, at 3:44 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> I believe there is a fundamental concern, impossible to handle sanely
>> at the CA policy level, that a CA may reasonably have certificate
>> hierarchies targeting people with different maximum security strength
>> and/or living at different times within a root certificate lifespan
>> (decades).
>> Thus it is reasonable for a particular TLS participant to dynamically
>> reject/ignore certificates weaker than it's own policies even if
>> issued by a root CA that has both strong and weak subtrees.
> For that we have a coarse filter in the form of the security
> level.  Thus MD5 is no longer accepted outside root CA self
> signatures at the default security level 1 or higher.
> One thing I forgot to mention is:
>     https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_callback.html
> The callback interface is not yet documented, but it does allow
> the application to bless or reject each algorithm for a particular
> purpose:
>      void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex);
>      void SSL_CTX_set_security_callback(SSL_CTX *ctx,
>                                         int (*cb)(SSL *s, SSL_CTX *ctx, int op,
>                                                   int bits, int nid,
>                                                   void *other, void *ex));
> When this is documented, users who really want low level
> control would be able to accept or reject specific algorithms
> for specific operations.
> The "op" values of interest are:
>     SSL_SECOP_EE_KEY   /* accept/reject an EE public key */
>     SSL_SECOP_CA_KEY   /* accept/reject a CA public key */
>     SSL_SECOP_CA_MD    /* accept/reject a CA hash algorithm */
> If there is enough demand and contributor energy, this
> interface could get documented, code examples provided, ...
What would be much more useful would be a way to put the simpler
forms in the cipher list or config options list that OpenSSL
encourages generic clients and servers to make available to end
users, thus allowing such end users (not software developers like
me) to disable broken algorithms as soon as practical to their
situation.  Also end users wanting higher security levels might
want to disable the weaker of the "currently secure" algorithms,
along with disabling the corresponding TLS ciphers suites.  So
currently, these would be approximately the users who might
manually disable 128 bit symmetric cipher suites.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list