Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Matt Caswell wrote in <9b337dc8-3d2b-23c4-f4b8-ee332deda...@openssl.org>: |Please raise your patch as a PR so that it can properly reviewed. You'll |also need to submit a CLA: Sorry no, i do not have a github account nor will i go there. You may commit it with your own name, or not. Have a nice day. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Please raise your patch as a PR so that it can properly reviewed. You'll also need to submit a CLA: https://www.openssl.org/policies/cla.html Thanks Matt On 11/01/2021 22:19, Steffen Nurpmeso wrote: > Hello. > > Matt Caswell wrote in > : > |On 09/01/2021 23:24, Steffen Nurpmeso wrote: > |> Hello. > |> > |> I do use SSL_CONF_cmd() (and modules) possibility if it exists, > |> since it allow users to simply use the features of the newest > |> OpenSSL library without any code changes on my side. > |> This is great, and i think i applauded in the past. > |> > |> I discovered security_level(), needless to say i thought > |> @SECLEVEL= of ciphers(1) was broken until i discovered -s is > |> required to make it functional (..and do not get me started on > |> -ciphersuites..). > |> > |> Wouldn't it make sense to offer SecurityLevel as a keyword for > |> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since > |> it seems (from the manual) to extend to more than what i would > |> assume to be covered by a @SECLEVEL member of CipherString aka > |> ..Ciphersuites...? > | > |This is probably a good idea. I'd support it if someone wanted to add that. > > Please find a simple add-on attached, it could be it ("having no > idea of the codebase"..). It compiles, but when linking against > 678cae0295e3f (master from today) plus the patch i get errors: > > In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60: > /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration > specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type' > 402 |DEFINE_STACK_OF(GENERAL_NAME) > |^~~ > /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before > '*' token > 402 |DEFINE_STACK_OF(GENERAL_NAME) > |^~~ > /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before > 'OPENSSL_sk_value' > 402 |DEFINE_STACK_OF(GENERAL_NAME) > |^~~ > In file included from > /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35, >from /home/steffen/src/nail.git/src/mx/xtls.c:53: > /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier > or '(' before 'struct' > 402 |DEFINE_STACK_OF(GENERAL_NAME) > |^~~ > In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60: > /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before > 'OPENSSL_sk_new' > 402 |DEFINE_STACK_OF(GENERAL_NAME) > |^~~ > /home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro > "sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0 > 402 |DEFINE_STACK_OF(GENERAL_NAME) > | ^ ~ > In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60: > > /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225: > note: macro "sk_GENERAL_NAME_new_null" defined here > 225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME) > *)OPENSSL_sk_new_null()) > | > > I have not tested OpenSSL 3.0 for a while, but it was clean when > i tried it last, my last commit was "Be truly > OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19. I used > > ./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \ > zlib-dynamic shared no-deprecated no-async threads no-tests \ > -Wl,-rpath,'$(LIBRPATH)' > > on a current glibc Linux (CRUX-Linux 3.6). > > Ciao from Germany, > > --steffen > | > |Der Kragenbaer,The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) >
Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Hello. Matt Caswell wrote in : |On 09/01/2021 23:24, Steffen Nurpmeso wrote: |> Hello. |> |> I do use SSL_CONF_cmd() (and modules) possibility if it exists, |> since it allow users to simply use the features of the newest |> OpenSSL library without any code changes on my side. |> This is great, and i think i applauded in the past. |> |> I discovered security_level(), needless to say i thought |> @SECLEVEL= of ciphers(1) was broken until i discovered -s is |> required to make it functional (..and do not get me started on |> -ciphersuites..). |> |> Wouldn't it make sense to offer SecurityLevel as a keyword for |> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since |> it seems (from the manual) to extend to more than what i would |> assume to be covered by a @SECLEVEL member of CipherString aka |> ..Ciphersuites...? | |This is probably a good idea. I'd support it if someone wanted to add that. Please find a simple add-on attached, it could be it ("having no idea of the codebase"..). It compiles, but when linking against 678cae0295e3f (master from today) plus the patch i get errors: In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60: /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type' 402 |DEFINE_STACK_OF(GENERAL_NAME) |^~~ /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before '*' token 402 |DEFINE_STACK_OF(GENERAL_NAME) |^~~ /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_value' 402 |DEFINE_STACK_OF(GENERAL_NAME) |^~~ In file included from /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35, from /home/steffen/src/nail.git/src/mx/xtls.c:53: /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier or '(' before 'struct' 402 |DEFINE_STACK_OF(GENERAL_NAME) |^~~ In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60: /home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_new' 402 |DEFINE_STACK_OF(GENERAL_NAME) |^~~ /home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro "sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0 402 |DEFINE_STACK_OF(GENERAL_NAME) | ^ ~ In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60: /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225: note: macro "sk_GENERAL_NAME_new_null" defined here 225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME) *)OPENSSL_sk_new_null()) | I have not tested OpenSSL 3.0 for a while, but it was clean when i tried it last, my last commit was "Be truly OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19. I used ./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \ zlib-dynamic shared no-deprecated no-async threads no-tests \ -Wl,-rpath,'$(LIBRPATH)' on a current glibc Linux (CRUX-Linux 3.6). Ciao from Germany, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) From ab46866fa6b5c13ff26795871b41e3980b963f77 Mon Sep 17 00:00:00 2001 Message-Id: From: Steffen Nurpmeso Date: Mon, 11 Jan 2021 22:47:36 +0100 Subject: [PATCH] SSL_CONF_cmd: add SecurityLevel/security_level for SSL_CTX_set_security_level(3) --- doc/man3/SSL_CONF_cmd.pod | 28 ssl/ssl_conf.c| 20 2 files changed, 48 insertions(+) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 97ebff047f..161feedc3a 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -190,6 +190,20 @@ for DTLS. To restrict the supported protocol versions use these commands rather than the deprecated alternative commands below. +=item B<-security_level> I + +Set the enforced security level. +Currently supported values are in between B<0> (lowest) and B<5> (highest). +The security framework disables or reject parameters inconsistent with the +set security level. +The bits of security limits affect all relevant parameters including cipher +suite encryption algorithms, supported ECC curves, supported signature +algorithms, DH parameter sizes, certificate key sizes and signature +algorithms. This limit applies no matter what other custom settings an +application has set: so if the cipher suite is set to ALL then only cipher +suites consistent with the security level are permissible. +See L for more information. + =item B<-record_padding> I Attempts to pad TLSv1.3 records so that they are a multiple of B @@ -524,6 +538,20 @@ B: use CA names extension,
Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?
On 09/01/2021 23:24, Steffen Nurpmeso wrote: > Hello. > > I do use SSL_CONF_cmd() (and modules) possibility if it exists, > since it allow users to simply use the features of the newest > OpenSSL library without any code changes on my side. > This is great, and i think i applauded in the past. > > I discovered security_level(), needless to say i thought > @SECLEVEL= of ciphers(1) was broken until i discovered -s is > required to make it functional (..and do not get me started on > -ciphersuites..). > > Wouldn't it make sense to offer SecurityLevel as a keyword for > SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since > it seems (from the manual) to extend to more than what i would > assume to be covered by a @SECLEVEL member of CipherString aka > ..Ciphersuites...? This is probably a good idea. I'd support it if someone wanted to add that. Matt