Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-12 Thread Jakob Bohm
On 12/07/2017 14:24, Niklas Keller wrote: 2017-07-12 8:35 GMT+02:00 Wouter Verhelst >: On 11-07-17 23:44, Salz, Rich via openssl-users wrote: >> It's very well worth the effort, otherwise there's a security issue, because

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-12 Thread Niklas Keller
2017-07-12 8:35 GMT+02:00 Wouter Verhelst : > On 11-07-17 23:44, Salz, Rich via openssl-users wrote: > >> It's very well worth the effort, otherwise there's a security issue, > because certificates can be forged. > > > > No they cannot. > > > > What *has* been done is a

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-12 Thread Wouter Verhelst
On 11-07-17 23:44, Salz, Rich via openssl-users wrote: >> It's very well worth the effort, otherwise there's a security issue, because >> certificates can be forged. > > No they cannot. > > What *has* been done is a document was created with "weak spots" and another > document was created that

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Jakob Bohm
On 12/07/2017 07:23, Viktor Dukhovni wrote: On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: I don't think a state is really needed for this, if the callback simply checks if the certificate is in the loaded trust collection, and/or if it is self-signed (depending on the

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Viktor Dukhovni
On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: > I don't think a state is really needed for this, if the callback > simply checks if the certificate is in the loaded trust collection, > and/or if it is self-signed (depending on the application's chosen > root CA trust model). Yes,

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Jakob Bohm
On 10/07/2017 18:52, Viktor Dukhovni wrote: On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}? Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Salz, Rich via openssl-users
> It's very well worth the effort, otherwise there's a security issue, because > certificates can be forged. No they cannot. What *has* been done is a document was created with "weak spots" and another document was created that changed those weak spots, but the digest was the same. This is

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Monday, July 10, 2017 13:24 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Rejecting SHA-1 certificates > > On Mon, Jul 10, 2017 at 08:19:11PM +0200

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Viktor Dukhovni
On Mon, Jul 10, 2017 at 08:19:11PM +0200, Niklas Keller wrote: > > What's your threat model, and how does it justify this effort? > > The same as for browsers I guess. Could you explain why browsers and Java > disable SHA1, but it's not worth for me doing so? The browsers and Java do this

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Michael Sierchio
On Mon, Jul 10, 2017 at 10:22 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > On Jul 10, 2017, at 1:12 PM, Niklas Keller wrote: > > > > It's very well worth the effort, otherwise there's a security issue, > because certificates can be forged. > > Collision

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Niklas Keller
2017-07-10 19:30 GMT+02:00 Michael Wojcik <michael.woj...@microfocus.com>: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Niklas Keller > > Sent: Monday, July 10, 2017 11:12 > > To: openssl-users@openssl.org > > Subject: Re

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Niklas Keller > Sent: Monday, July 10, 2017 11:12 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Rejecting SHA-1 certificates > It's very well worth the effort, otherwise there'

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Viktor Dukhovni
> On Jul 10, 2017, at 1:12 PM, Niklas Keller wrote: > > It's very well worth the effort, otherwise there's a security issue, because > certificates can be forged. Collision attacks don't directly lead to certificate forgery. There are no known 2nd-preimage attacks on SHA-1.

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Niklas Keller
> > > On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: > > > > > > What's the best way / a working way to reject weak signature schemes in > OpenSSL 1.0.{1,2}? > > Most CAs have stopped issuing SHA-1 certificates. Any old ones will > expire over the > next year or two. While

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Viktor Dukhovni
> On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: > > > What's the best way / a working way to reject weak signature schemes in > OpenSSL 1.0.{1,2}? Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the next year or two. While Google has

[openssl-users] Rejecting SHA-1 certificates

2017-07-10 Thread Niklas Keller
Morning, I'm currently trying to reject certificate chains which rely on MD5 and SHA-1 for signatures. I found SSL_get0_verified_chain which could be used to walk the chain and reject if there's any MD5 / SHA-1 certificate in there, except for the last one, which is trusted because of the public