Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distrust cert chains using legacy signature algorithms #1124

Closed
alex opened this issue Feb 24, 2017 · 5 comments
Closed

Distrust cert chains using legacy signature algorithms #1124

alex opened this issue Feb 24, 2017 · 5 comments

Comments

@alex
Copy link
Contributor

alex commented Feb 24, 2017

I think at a start, md5 should be blacklisted, and sha-1 generate a warning, with blacklisting in the coming months.

@Lukasa suggested that urllib3 was the correct place in the http-stack to do this.
@sethmlarson
Copy link
Member

I'm not a practicing security guy but I think this seems sensible. :)

@Lukasa
Copy link
Sponsor Contributor

Lukasa commented Feb 24, 2017

So, here's some extra notes.

  1. We can only do this with PyOpenSSL right now, because only PyOpenSSL gives us access to the verify callback. The standard library does not allow us to to see the certs as they come up in the verify callback, so we can't bar any. It also doesn't let us get the whole peer cert chain, so we can't warn on chains that we'd like to make invalid. This would only work in cases where people are using PyOpenSSL as their TLS stack.
  2. We'd need some way to control how this worked so that users who need lousy cert chains can actually have them.
  3. Someone should investigate whether OpenSSL is smart enough to build alternative cert chains if possible: that is, if there are two copies of an intermediary cert, each signed with a different algorithm but with the same key and both otherwise valid, will OpenSSL correctly try them all?

@Lukasa Lukasa added the Someday label Feb 24, 2017
@sigmavirus24
Copy link
Contributor

Someone should investigate whether OpenSSL is smart enough to build alternative cert chains if possible: that is, if there are two copies of an intermediary cert, each signed with a different algorithm but with the same key and both otherwise valid, will OpenSSL correctly try them all?

I suspect @reaperhulk has an idea about this answer. That said, didn't newer ones already default to shortest path verification? Isn't that how they fixed the certificates being signed by 1024 and 2048 bit keys? IOW, I would guess that something similar should work in this case.

@pquentin
Copy link
Member

The default cipher suites were recently updated as part of TLS 1.3 support in #1496. I don't know enough to tell why we don't include !SHA1, but MD5 is blacklisted. Is there anything specific left to do here?

@sethmlarson
Copy link
Member

I think we're going to rely on how OpenSSL is configured and evolves here, there's not much we can do to configure this since it was opened and still aren't any options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex @pquentin @sigmavirus24 @Lukasa @sethmlarson