blob: a71fb018d006f262322f069e1fc31ea65ff6da9c [file] [log] [blame] [edit]
# Copyright 2020 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# OpenSSL configuration file with Chromium OS specific compatiblity
# adjustments. This configuration is used for network authentication in
# wpa_supplicant and various VPN software.
#
# TODO(crbug.com/1047146): Fix various shortcomings that prompted the
# adjustments in this file and drop them.
[ default ]
openssl_conf = default_openssl_conf
[ default_openssl_conf ]
ssl_conf = compat_ssl_conf
[ compat_ssl_conf ]
system_default = system_compat_ssl_conf
[ system_compat_ssl_conf ]
# Set the list of client signature algorithms to exclude RSA-PSS. This is
# necessary because OpenSSL handles RSA-PSS by doing the padding internally and
# then requesting a signature without padding. That isn't supported by chaps
# and can't work with hardware-backed keys anyways since they generally don't
# support padding-less operation. Furthermore, OpenSSL will negotiate PSS
# padding by default, regardless of whether the private key corresponding to
# the certificate is actually capable of generating PSS padded signatures. As a
# result, the only practical solution for now is to disable RSA-PSS. Note that
# this isn't worse from what we did with the previous OpenSSL library version,
# since that didn't support PSS at all in the TLS code.
#
# The list below was obtained from the sigalg_lookup_tbl[] in ssl/t1_lib.c in
# the OpenSSL source code and listing everything that is not RSA-PSS.
ClientSignatureAlgorithms = RSA+SHA1:RSA+SHA224:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA1:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448
# TLS 1.3 no longer allows RSA with PKCS#1 padding. OpenSSL uses TLS 1.3 by
# default if possible, in which case we end up in a situation without a working
# RSA signature algorithm, so client authentication can't work. To work around
# this we only allow TLS 1.2 and below for now.
MaxProtocol = TLSv1.2
# Set the security level to 0 to match behavior of previous versions of
# OpenSSL. The default security level in newer versions is 1 (corresponding to
# 80 bits of security strength), which makes OpenSSL reject e.g. MD5. However,
# we have no comprehensive data on whether such weak crypto is still present in
# network configs in the wild (one would certainly hope that noone uses MD5 in
# 2020, but previous experience suggests otherwise). Thus for the purpose of
# removing this compatibility risk from the OpenSSL upgrade, we set the security
# level to 0 for now.
#
# Note that this doesn't weaken network setups configured with strong crypto -
# these configure CA certificates that use proper crypto and don't use weak
# crypto in certificate chains. Plus it'd be no worse than previous OpenSSL
# behavior anyways.
#
# We should still phase out support for inadequate crypto rather sooner than
# later, but that's a project of its own with a considerable timeline.
CipherString = DEFAULT:@SECLEVEL=0