Changes between 1.1.1d and 1.1.1e [xx XXX xxxx]
+ *) X509 certificates signed using SHA1 are no longer allowed at security
+ level 1 and above.
+ In TLS/SSL the default security level is 1. It can be set either
+ using the cipher string with @SECLEVEL, or calling
+ SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
+ a call to SSL_CTX_use_certificate() will fail if the security level is not
+ lowered first.
+ Outside TLS/SSL, the default security level is -1 (effectively 0). It can
+ be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
+ options of the apps.
+ [Kurt Roeckx]
+
*) Corrected the documentation of the return values from the EVP_DigestSign*
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [under development]
- o
+ o X509 certificates signed using SHA1 are no longer allowed at security
+ level 1 or higher. The default security level for TLS is 1, so
+ certificates signed using SHA1 are by default no longer trusted to
+ authenticate servers or clients.
Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
uint32_t flags;
const EVP_MD *mgf1md = NULL, *md = NULL;
RSA_PSS_PARAMS *pss;
+ int secbits;
/* Sanity check: make sure it is PSS */
if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
else
flags = 0;
/* Note: security bits half number of digest bits */
- X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4,
+ secbits = EVP_MD_size(md) * 4;
+ /*
+ * SHA1 and MD5 are known to be broken. Reduce security bits so that
+ * they're no longer accepted at security level 1. The real values don't
+ * really matter as long as they're lower than 80, which is our security
+ * level 1.
+ * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
+ * 2^63.4
+ * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
+ * puts a chosen-prefix attack for MD5 at 2^39.
+ */
+ if (mdnid == NID_sha1)
+ secbits = 64;
+ else if (mdnid == NID_md5_sha1)
+ secbits = 68;
+ else if (mdnid == NID_md5)
+ secbits = 39;
+ X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits,
flags);
rv = 1;
err:
return;
/* Security bits: half number of bits in digest */
siginf->secbits = EVP_MD_size(md) * 4;
+ /*
+ * SHA1 and MD5 are known to be broken. Reduce security bits so that
+ * they're no longer accepted at security level 1. The real values don't
+ * really matter as long as they're lower than 80, which is our security
+ * level 1.
+ * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
+ * 2^63.4
+ * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
+ * puts a chosen-prefix attack for MD5 at 2^39.
+ */
+ if (mdnid == NID_sha1)
+ siginf->secbits = 63;
+ else if (mdnid == NID_md5)
+ siginf->secbits = 39;
switch (mdnid) {
case NID_sha1:
case NID_sha256:
ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
"Name constraints nested DNS name excluded");
-ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
- "Certificate PSS signature using SHA1");
+ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
+ "Accept PSS signature using SHA1 at auth level 0");
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
- "Reject PSS signature using SHA1 and auth level 2");
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
+ "Reject PSS signature using SHA1 and auth level 1");
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");