Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Matt Caswell wrote in <9b337dc8-3d2b-23c4-f4b8-ee332deda...@openssl.org>: |Please raise your patch as a PR so that it can properly reviewed. You'll |also need to submit a CLA: Sorry no, i do not have a github account nor will i go there. You may commit it with your own name, or not. Have a nice day. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Please raise your patch as a PR so that it can properly reviewed. You'll
also need to submit a CLA:
https://www.openssl.org/policies/cla.html
Thanks
Matt
On 11/01/2021 22:19, Steffen Nurpmeso wrote:
> Hello.
>
> Matt Caswell wrote in
> :
> |On 09/01/2021 23:24, Steffen Nurpmeso wrote:
> |> Hello.
> |>
> |> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
> |> since it allow users to simply use the features of the newest
> |> OpenSSL library without any code changes on my side.
> |> This is great, and i think i applauded in the past.
> |>
> |> I discovered security_level(), needless to say i thought
> |> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
> |> required to make it functional (..and do not get me started on
> |> -ciphersuites..).
> |>
> |> Wouldn't it make sense to offer SecurityLevel as a keyword for
> |> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
> |> it seems (from the manual) to extend to more than what i would
> |> assume to be covered by a @SECLEVEL member of CipherString aka
> |> ..Ciphersuites...?
> |
> |This is probably a good idea. I'd support it if someone wanted to add that.
>
> Please find a simple add-on attached, it could be it ("having no
> idea of the codebase"..). It compiles, but when linking against
> 678cae0295e3f (master from today) plus the patch i get errors:
>
> In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
> /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration
> specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type'
> 402 |DEFINE_STACK_OF(GENERAL_NAME)
> |^~~
> /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
> '*' token
> 402 |DEFINE_STACK_OF(GENERAL_NAME)
> |^~~
> /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
> 'OPENSSL_sk_value'
> 402 |DEFINE_STACK_OF(GENERAL_NAME)
> |^~~
> In file included from
> /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35,
>from /home/steffen/src/nail.git/src/mx/xtls.c:53:
> /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier
> or '(' before 'struct'
> 402 |DEFINE_STACK_OF(GENERAL_NAME)
> |^~~
> In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
> /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
> 'OPENSSL_sk_new'
> 402 |DEFINE_STACK_OF(GENERAL_NAME)
> |^~~
> /home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro
> "sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0
> 402 |DEFINE_STACK_OF(GENERAL_NAME)
> | ^ ~
> In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
>
> /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225:
> note: macro "sk_GENERAL_NAME_new_null" defined here
> 225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME)
> *)OPENSSL_sk_new_null())
> |
>
> I have not tested OpenSSL 3.0 for a while, but it was clean when
> i tried it last, my last commit was "Be truly
> OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19. I used
>
> ./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \
> zlib-dynamic shared no-deprecated no-async threads no-tests \
> -Wl,-rpath,'$(LIBRPATH)'
>
> on a current glibc Linux (CRUX-Linux 3.6).
>
> Ciao from Germany,
>
> --steffen
> |
> |Der Kragenbaer,The moon bear,
> |der holt sich munter he cheerfully and one by one
> |einen nach dem anderen runter wa.ks himself off
> |(By Robert Gernhardt)
>
Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Hello.
Matt Caswell wrote in
:
|On 09/01/2021 23:24, Steffen Nurpmeso wrote:
|> Hello.
|>
|> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
|> since it allow users to simply use the features of the newest
|> OpenSSL library without any code changes on my side.
|> This is great, and i think i applauded in the past.
|>
|> I discovered security_level(), needless to say i thought
|> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
|> required to make it functional (..and do not get me started on
|> -ciphersuites..).
|>
|> Wouldn't it make sense to offer SecurityLevel as a keyword for
|> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
|> it seems (from the manual) to extend to more than what i would
|> assume to be covered by a @SECLEVEL member of CipherString aka
|> ..Ciphersuites...?
|
|This is probably a good idea. I'd support it if someone wanted to add that.
Please find a simple add-on attached, it could be it ("having no
idea of the codebase"..). It compiles, but when linking against
678cae0295e3f (master from today) plus the patch i get errors:
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration
specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type'
402 |DEFINE_STACK_OF(GENERAL_NAME)
|^~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
'*' token
402 |DEFINE_STACK_OF(GENERAL_NAME)
|^~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
'OPENSSL_sk_value'
402 |DEFINE_STACK_OF(GENERAL_NAME)
|^~~
In file included from
/home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35,
from /home/steffen/src/nail.git/src/mx/xtls.c:53:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier or
'(' before 'struct'
402 |DEFINE_STACK_OF(GENERAL_NAME)
|^~~
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before
'OPENSSL_sk_new'
402 |DEFINE_STACK_OF(GENERAL_NAME)
|^~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro
"sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0
402 |DEFINE_STACK_OF(GENERAL_NAME)
| ^ ~
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225:
note: macro "sk_GENERAL_NAME_new_null" defined here
225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME)
*)OPENSSL_sk_new_null())
|
I have not tested OpenSSL 3.0 for a while, but it was clean when
i tried it last, my last commit was "Be truly
OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19. I used
./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \
zlib-dynamic shared no-deprecated no-async threads no-tests \
-Wl,-rpath,'$(LIBRPATH)'
on a current glibc Linux (CRUX-Linux 3.6).
Ciao from Germany,
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
From ab46866fa6b5c13ff26795871b41e3980b963f77 Mon Sep 17 00:00:00 2001
Message-Id:
From: Steffen Nurpmeso
Date: Mon, 11 Jan 2021 22:47:36 +0100
Subject: [PATCH] SSL_CONF_cmd: add SecurityLevel/security_level for
SSL_CTX_set_security_level(3)
---
doc/man3/SSL_CONF_cmd.pod | 28
ssl/ssl_conf.c| 20
2 files changed, 48 insertions(+)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 97ebff047f..161feedc3a 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -190,6 +190,20 @@ for DTLS.
To restrict the supported protocol versions use these commands rather than the
deprecated alternative commands below.
+=item B<-security_level> I
+
+Set the enforced security level.
+Currently supported values are in between B<0> (lowest) and B<5> (highest).
+The security framework disables or reject parameters inconsistent with the
+set security level.
+The bits of security limits affect all relevant parameters including cipher
+suite encryption algorithms, supported ECC curves, supported signature
+algorithms, DH parameter sizes, certificate key sizes and signature
+algorithms. This limit applies no matter what other custom settings an
+application has set: so if the cipher suite is set to ALL then only cipher
+suites consistent with the security level are permissible.
+See L for more information.
+
=item B<-record_padding> I
Attempts to pad TLSv1.3 records so that they are a multiple of B
@@ -524,6 +538,20 @@ B: use CA names extension,
Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
On 09/01/2021 23:24, Steffen Nurpmeso wrote: > Hello. > > I do use SSL_CONF_cmd() (and modules) possibility if it exists, > since it allow users to simply use the features of the newest > OpenSSL library without any code changes on my side. > This is great, and i think i applauded in the past. > > I discovered security_level(), needless to say i thought > @SECLEVEL= of ciphers(1) was broken until i discovered -s is > required to make it functional (..and do not get me started on > -ciphersuites..). > > Wouldn't it make sense to offer SecurityLevel as a keyword for > SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since > it seems (from the manual) to extend to more than what i would > assume to be covered by a @SECLEVEL member of CipherString aka > ..Ciphersuites...? This is probably a good idea. I'd support it if someone wanted to add that. Matt
