I've recently overheard some discussions about the need to get more detailed
info about the security of a particular SSL connection, for displaying to
the user and for other purposes.
The function presently available for this purpose, SSL_SecurityStatus()
is documented at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1092805
This function is inadequate in several respects, which I'll enumerate below.
Below that, I propose a new function to supersede SSL_SecurityStatus. I want
to solicit your input on whether this new function adequately meets the
needs. This work is not yet part of any NSS PRD, and not scheduled for anyh
Inadequacies of SSL_SecurityStatus:
1. Does not indicate key exchange algorithm.
RSA? DHE? Fortezza-KEA?
2. Does not indicate strength of key exchange key/value
512 bits? 1024 bits? other?
3. Does not indicate server authentication algorithm.
RSA? DSA?
4. Does not indicate server authentication key size.
512 bits? 1024 bits? other?
5. Does not indicate SSL protocol version used.
SSL 2? SSL 3.0? TLS (SSL 3.1)?
6. Does not indicate the digest algorithm used for message authentication
(MAC).
SHA1? MD5?
6.1 Does not indicate the size of the digest used for MACs. Presently, this
value is implicitly determined from the particular MAC algorithm, but
in the future there will be "truncated MACs" which are shorter than
the full size given by the algorithm.
7. Returns a malloced ASCII string to identify the symmetric cipher used.
- These strings are not localized (although it's not clear how to localize
TLAs like RC2 and DES).
- The strings are inconsistent in identification of export status (key
strength). For example, RC2-CBC with a 40 bit export key is identified
as RC2-CBC-Export for SSL2 and as RC2-CBC-40 for SSL3.
- Since the size of the key is available as an integer, there's really no
need to identify RC4 with a 40-bit key as a separate cipher from RC4
with a 128-bit key.
8. Provides no information about whether client key exchange was done, and
what cert was used, or what key size or client authentication algorithm
was used.
9. Perpetuates the confusion about key size vs. "secret" key size.
10. Returns RFC 1485 (ASCII-encoded) issuer and subject names for the peer's
certificate (if any), but no other decoded info about the cert is made
available. However, the application can obtain the peer's cert and
extract what it needs with other libcert functions.
11. Returns an indicator of the "level" of security: Off, low, high, which
is based on outdated levels of expectation. (56-bits is no longer
considered high security, for example.) The application ought to make
this value judgement for itself, IMO.
Before you read the proposed new function, please familiarize yourself with
the documentation on the existing function, at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1092805
Proposed new function and structure.
The newly proposed function returns all info in a caller-supplied structure.
The caller does not have to free any memory allocated by the function.
No strings are returned. All values are numeric. Translating the returned
numbers into strings is the responsibility of the calling application.
typedef enum {
ssl_calg_null = 0,
ssl_calg_rc4 = 1,
ssl_calg_rc2 = 2,
ssl_calg_des = 3,
cssl_alg_3des = 4,
ssl_calg_idea = 5,
ssl_calg_fortezza = 6, /* skipjack */
ssl_calg_aes = 7 /* coming soon */
} SSL3CipherAlgorithm;
typedef struct SSLChannelInfoStr {
PRUint16 version;
PRUint16 cipherSuite;
SSL3SignType authAlgorithm;
PRUint32 authKeyBits;
SSLKEAType keaType;
PRUint32 keaKeyBits;
SSL3CipherAlgorithm bulkCipher;
PRUint16 effectiveKeyBits;
SSL3MACAlgorithm macAlgorithm;
PRUint16 macBits;
} SSLChannelInfo;
extern SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info);
(Yes, I know that's not optimal packing of that struct, but at this point,
I want to discuss whether the info you need is there, not how the struct
looks or struct member names. )
Notes:
- All of these types (except SSL3CipherAlgorithm shown above) are presently
defined in ssl header files, but some are defined in private header files,
and will have to be moved to public header files.
- version is the SSL protocol version. Zero means SSL was not used.
See SSL_LIBRARY_VERSION macros in sslproto.h for defined versions.
- cipherSuite values are defined in sslproto.h. For SSL2, these are
the SSL_EN_ symbols.
- effectiveKeyBits is the number of "secret" bits in the key used for the
symmetric bulk encryption cipher (e.g. RC4, DES).
- macBits is the number of bits in the MAC in each SSL record.
- This struct does not contain any info about the peer's cert. There is
already a function for obtaining a reference to the peer's CERTCertificate
struct, and there are accessor functions that extract values (e.g. portions
of the name, validity dates, etc.) from that struct. For example,
CERT_NameToASCII can be used to to extract the issuer name or subject name
from the certificate reference.
- This struct does not contain any info about the local cert (if any) that
was used to do client authentication. However, since the application
provides that cert to the SSL library through a callback function, the
application ought to already have a pointer to that cert. However, a
function to return a reference to the local client cert could be added if
needed.
Comments? Questions?
--
Nelson Bolyard Sun / Netscape Alliance
Disclaimer: I speak for myself, not for Netscape
