Re: x509 AlgorithmIdentifier parameters
Philip Martinwrites: > A client using openssl 1.0 will connect to a server serving the > RSASSA-PSS cert. Clients using openssl 1.1 fail to verify cert. The > underlying openssl 1.1 error appears to be > > $ openssl s_client -connect localhost:8887 -CAfile apache2/ssl/ca-cert.pem > ... > Verify return code: 68 (CA signature digest algorithm too weak) > > This suggests that RSASSA-PSS is obsolete, but as I mentioned earlier in > the thread there are recent changes to the openssl project > adding/extending RSASSA-PSS support as part of TLS 1.3: I built openssl trunk (1.1.1-dev) and it is able to verify the cert: $ LD_LIBRARY_PATH=/usr/local/openssl/lib /usr/local/openssl/bin/openssl s_client -connect localhost:8887 -CAfile=apache2/ssl/ca-cert.pem ... Verify return code: 0 (ok) This is exactly the same server and cert that cause openssl 1.1 to fail. -- Philip
Re: x509 AlgorithmIdentifier parameters
Philip Martinwrites: > Philip Martin writes: > >> In Marc's case getting a new server cert that is not RSASSA-PSS might be >> the best solution. > > r1822996 fixes the x509 parser on trunk. It doesn't mean that the > client will be able to verify the RSASSA-PSS certs (you would need an > OpenSSL fix for that) but it does allow a JavaHL client to accept the > failure to verify. Another data point: the behaviour varies between openssl 1.0 and openssl 1.1. With openssl 1.1 the apache server will not even start when using an RSASSA-PSS cert [Sat Feb 03 10:18:03.858279 2018] [ssl:emerg] [pid 2717:tid 139629607192448] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak With openssl 1.0 the server does start. I'm using openssl 1.1 to generate the cert in both cases. A client using openssl 1.0 will connect to a server serving the RSASSA-PSS cert. Clients using openssl 1.1 fail to verify cert. The underlying openssl 1.1 error appears to be $ openssl s_client -connect localhost:8887 -CAfile apache2/ssl/ca-cert.pem ... Verify return code: 68 (CA signature digest algorithm too weak) This suggests that RSASSA-PSS is obsolete, but as I mentioned earlier in the thread there are recent changes to the openssl project adding/extending RSASSA-PSS support as part of TLS 1.3: https://github.com/openssl/openssl/issues/2878 -- Philip
Re: svn commit: r1822996 - in /subversion/trunk/subversion: libsvn_subr/x509parse.c tests/libsvn_subr/x509-test.c
On 02.02.2018 19:27, phi...@apache.org wrote: > Author: philip > Date: Fri Feb 2 18:27:44 2018 > New Revision: 1822996 > > URL: http://svn.apache.org/viewvc?rev=1822996=rev > Log: > Fix x509 parser to accept RSASSA-PSS certs by no longer assuming that > algorithm parameters are NULL for all algorithms. This change doesn't > affect whether clients can verify RSASSA-PSS certs, that decision is > delegated to OpenSSL, but it does allow JavaHL clients to accept a > failure to verify such certs. Backport for 1.10? -- Brane