Re: [openssl-users] Rejecting SHA-1 certificates
2017-07-12 8:35 GMT+02:00 Wouter Verhelst: > On 11-07-17 23:44, Salz, Rich via openssl-users wrote: > >> It's very well worth the effort, otherwise there's a security issue, > because certificates can be forged. > > > > No they cannot. > > > > What *has* been done is a document was created with "weak spots" and > another document was created that changed those weak spots, but the digest > was the same. > > Correct me if I'm wrong, but wasn't the MD5 certificate hack presented > back at 25C3 based on exactly that scenario? They used the serial number > and timestamp or some other such thing (don't recall the details) as > weak spots and then sent loads of certificate requests to the CA to > effecively brute-force it. > > (Of course, CAs are now required to randomize their serial number, so > since that particular attack isn't possible anymore, I agree that for > the time being it's still not a feasible scenario for SHA1, but hey) > Maybe not currently for SHA-1, but maybe for MD5? Also not sure whether you can use these old certificates with weak serials and change the date as well there? Regards, Niklas -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Rejecting SHA-1 certificates
2017-07-10 19:30 GMT+02:00 Michael Wojcik <michael.woj...@microfocus.com>: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Niklas Keller > > Sent: Monday, July 10, 2017 11:12 > > To: openssl-users@openssl.org > > Subject: Re: [openssl-users] Rejecting SHA-1 certificates > > > > It's very well worth the effort, otherwise there's a security issue, > because certificates can be forged. > > Care to demonstrate that? > I'm not sure how feasible that is for either SHA1 or MD5. > The SHAttered attack demonstrated an SHA1 collision using 1) an enormous > amount of resources and 2) a file format with plenty of scope for > manipulating the preimages. I'm not aware of any public demonstration > showing anything close to a practical way of forging an X.509 certificate > with an SHA1-based signature. Certificates have far less scope for > manipulating the preimage. > > It's always been possible to forge certificates. Generally that's been > done by stealing the signing key from a poorly-secured CA. The new > marginal feasibility of producing SHA1 collisions does not significantly > increase the forgery risk for X.509 certificates at present, since it's > probably still too difficult - perhaps not even possible for any useful > forgery (if the forged certificate had to carry a suspect amount of > unexpected data, for example) - and certainly far too expensive to justify > the vast majority of potential attacks. > Probably true, yes. > A security vulnerability is meaningless outside the context of a threat > model. Forging certificates with SHA1-based signatures is a very minor > branch of the attack tree for nearly all certificate holders. CAs and > browser vendors are getting rid of SHA1-based signatures now because the > cost of being proactive is very small, and attacks only get better. That > doesn't mean immediately screening out all SHA1-based certificates is > justified under sensible threat models. > > What's your threat model, and how does it justify this effort? > The same as for browsers I guess. Could you explain why browsers and Java disable SHA1, but it's not worth for me doing so? Regards, Niklas -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Rejecting SHA-1 certificates
> > > On Jul 10, 2017, at 3:45 AM, Niklas Keller <m...@kelunik.com> wrote: > > > > > > What's the best way / a working way to reject weak signature schemes in > OpenSSL 1.0.{1,2}? > > Most CAs have stopped issuing SHA-1 certificates. Any old ones will > expire over the > next year or two. While Google has demonstrated a SHA-1 collision, that > proof of > concept is far from a practical attack. > Actually they should already be expired, all major browsers will reject them already, even Edge. > The simplest solution is to let the CAs solve the problem as SHA-1 > certificates fade > out of the picture. You can if you wish leave out from the set of trusted > roots any > CAs that have not yet stopped issuing SHA-1 certificates. > CAs can't solve the problem that we accept certificates with weak signatures. > You can of course implement a verify callback that inspects each > certificate in the > chain, and triggers an error when its signature is SHA-1 and it is not the > last one > in the chain. This requires keeping some state attached to the X509 store > context, > and I don't think is worth the effort. > It's very well worth the effort, otherwise there's a security issue, because certificates can be forged. Regards, Niklas > See code involving "TLScontext_index" in: > > https://github.com/vdukhovni/postfix/blob/master/postfix/ > src/tls/tls_client.c#L318 > https://github.com/vdukhovni/postfix/blob/master/postfix/ > src/tls/tls_client.c#L942 > https://github.com/vdukhovni/postfix/blob/master/postfix/ > src/tls/tls_verify.c#L163 > > With such a context, you can keep track of the maximum depth seen by the > callback, > and reject SHA-1 at lower depths. I do not recommend doing this. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Rejecting SHA-1 certificates
Morning, I'm currently trying to reject certificate chains which rely on MD5 and SHA-1 for signatures. I found SSL_get0_verified_chain which could be used to walk the chain and reject if there's any MD5 / SHA-1 certificate in there, except for the last one, which is trusted because of the public key instead of based on the signature, so a weak signature algorithm doesn't have any impact there. Unfortunately, SSL_get0_verified_chain is only available in OpenSSL 1.1, but not in OpenSSL 1.0.1 or 1.0.2, which both have to be supported. With OpenSSL 1.1, we could also just use "auth_level" and be done. What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}? Regards, Niklas -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users