On 20/06/2018 23:07, Viktor Dukhovni wrote:
On Jun 20, 2018, at 3:44 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: I believe there is a fundamental concern, impossible to handle sanely at the CA policy level, that a CA may reasonably have certificate hierarchies targeting people with different maximum security strength and/or living at different times within a root certificate lifespan (decades). Thus it is reasonable for a particular TLS participant to dynamically reject/ignore certificates weaker than it's own policies even if issued by a root CA that has both strong and weak subtrees.For that we have a coarse filter in the form of the security level. Thus MD5 is no longer accepted outside root CA self signatures at the default security level 1 or higher. One thing I forgot to mention is: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_callback.html The callback interface is not yet documented, but it does allow the application to bless or reject each algorithm for a particular purpose: void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex); void SSL_CTX_set_security_callback(SSL_CTX *ctx, int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex)); When this is documented, users who really want low level control would be able to accept or reject specific algorithms for specific operations. The "op" values of interest are: SSL_SECOP_EE_KEY /* accept/reject an EE public key */ SSL_SECOP_CA_KEY /* accept/reject a CA public key */ SSL_SECOP_CA_MD /* accept/reject a CA hash algorithm */ If there is enough demand and contributor energy, this interface could get documented, code examples provided, ...
What would be much more useful would be a way to put the simpler forms in the cipher list or config options list that OpenSSL encourages generic clients and servers to make available to end users, thus allowing such end users (not software developers like me) to disable broken algorithms as soon as practical to their situation. Also end users wanting higher security levels might want to disable the weaker of the "currently secure" algorithms, along with disabling the corresponding TLS ciphers suites. So currently, these would be approximately the users who might manually disable 128 bit symmetric cipher suites. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
