[Cryptography] OpenSSL minimal "safe" configuration?

Ray Dillinger bear at sonic.net
Thu Jan 21 11:52:43 EST 2016



On 01/19/2016 07:24 AM, Viktor Dukhovni wrote:

> In the mean-time, in OpenSSL 1.1.0-dev, I've added support for
> Configuring the build to disable any or all the TLS or DTLS protocols.
> 
> 	no-tls/no-ssl3/no-tls1/no-tls1_1/no-tls1_2/
> 	no-ssl3-method/no-tls1-method/no-tls1_1-method/no-tls1_2-method
> 	no-dtls/no-dtls1/no-dtls1_2/no-dtls1-method/no-dtls1_2-method
> 
> The no-tls option disables *negotiation* of all TLS protocols via
> the version-flexible TLS_method(), the no-dtls does the same for
> DTLS.  The no-...-method variants also disable support for the
> corresponding version-specific method.
> 
> This does not remove all possible dead code that may result from
> disabling all the protocol methods that use it, that will be a
> future enhancement.
> 
> Enjoy.  There are also many options to disable various crypto
> primitives, but removing sha1 or md5 entirely presently breaks the
> build.

Thank you for doing that, and doing it at the build level
rather than in some way a mere shell script passing it
command lines could ignore.

I'm still not happy about MD5 (which is even more broken
than SHA1) being in the compiled code at all for fear that
a stack stomp attack could get at it or something, but it's
hard to imagine coordinating a stack stomp with a protocol
downgrade to MD5 in a way that would result in valid protocol
messages.

Not the sort of thing I can dismiss as impossible, after
FREAK and POODLE and a few more advanced-persistent-threat
things I've been exposed to. But hard to imagine how to do.

			Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160121/86242a26/attachment.sig>


More information about the cryptography mailing list