> From: owner-openssl-us...@openssl.org On Behalf Of Roger No-Spam > Sent: Friday, 13 May, 2011 04:15
> We have decided to use openssl to protect a connection in our system > with TLS. Clients will be authenticated using X509 certificates. To cut > a long story short, a decision has been taken to use self-signed certificates. > On the server, each client's self-signed cert will be loaded by a call to > SSL_CTX_load_verify_locations(). This is pretty much working as expected, To be exact: you can't be doing "a" load_verify_locations for each of multiple certs -- unless you do it dynamically one per SSL_accept(). To statically accept multiple certs, you can put them all in one file, or in one directory with hashlinks (or hashnames), and use that file or that directory (or possibly one of each) for load_verify_locations. > apart from one thing. If we modify the client's private key (modified a bit > in the privateExponent), the TLS connection is still successfully established. > I had expected the signature verification (certificate verify message) > of the handshake to fail in this case. > > Are there any gotchas with self-signed certs? Or is there something else > we have missed that explains why the signature verification is successful > with the modified key? It's not the cert; the same thing happens with just keys in rsautl. OpenSSL normally stores and uses RSA privatekey in Chinese Remainder Theorem format, which is quite a bit faster. If you damage only the privateExponent 'd' it doesn't affect the private key operation. If you damage a CRT component it (silently!) falls back to modexp-d instead, so if you damage *both* a CRT component *and* d *then* you get a bad signature, and a handshake failure. I *think* this works for any bit in any CRT component, but I didn't try to work out the math (and certainly didn't test completely). What is your threat (model) here? If an attacker can get at your clear privatekey file, I can't imagine why they would only flip one bit; and if they can get at an encrypted privatekey file, any tampering including a bit flip should be detected and refuse to load the key at all. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
