[exim-dev] [Bug 674] exim can't verify sha256WithRSAEncrypti…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Martin Kaiser
Dátum:  
Címzett: exim-dev
Régi témák: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
Tárgy: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #11 from Martin Kaiser <eximBugzilla@???> 2008-08-14 21:02:12 ---
(In reply to comment #9)

Hi Phil,

nice to see that there's been some activity about this bug lately ;-)

> Created an attachment (id=261)

--> (http://bugs.exim.org/attachment.cgi?id=261) [details]
> New global option, openssl_load_all
>
> I think this is a reasonable compromise and sensible way forward for now,
> without undermining the whole point of the exercise.
>
> A new option, available when SUPPORT_TLS defined, "openssl_load_all". It's a
> boolean, default false. It is a fatal error to set this true without also
> defining "tls_require_ciphers".
>
> The theory being that anyone who knows to load all algorithms knows enough to
> make their own educated decision about a cipher policy but that loading all
> algorithms has the risk of adding new dangerous ciphers that should not be
> present and would be a security step backwards. This avoids Exim needing to
> push a cipher which can become stale and puts Exim only in the position of
> having some mild protection against accidental shooting of self in foot.
>
> I was able to use Martin's sha256 stuff successfully with this patch.
>


no doubt that this is going to do the trick. However, I think this is quite
complicated for an admin. Thinking about the issue again, my preferred solution
would be to just add SHA256 by a call to EVP_AddDigest(). This way, we're not
accidentially enabling weak ciphers and there's no additional complexity for
the exim administrator. I would assume that X.509 certificates with
sha256-based signature (or more exactly pkcs1 1.5 signature using sha256) will
become more and more common.

Best regards,

Martin


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email