| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| # |
| # OpenSSL configuration file with Chromium OS specific compatiblity |
| # adjustments. This configuration is used for network authentication in |
| # wpa_supplicant and various VPN software. |
| # |
| # TODO(crbug.com/1047146): Fix various shortcomings that prompted the |
| # adjustments in this file and drop them. |
| |
| [ default ] |
| openssl_conf = default_openssl_conf |
| |
| [ default_openssl_conf ] |
| ssl_conf = compat_ssl_conf |
| |
| [ compat_ssl_conf ] |
| system_default = system_compat_ssl_conf |
| |
| [ system_compat_ssl_conf ] |
| # Set the list of client signature algorithms to exclude RSA-PSS. This is |
| # necessary because OpenSSL handles RSA-PSS by doing the padding internally and |
| # then requesting a signature without padding. That isn't supported by chaps |
| # and can't work with hardware-backed keys anyways since they generally don't |
| # support padding-less operation. Furthermore, OpenSSL will negotiate PSS |
| # padding by default, regardless of whether the private key corresponding to |
| # the certificate is actually capable of generating PSS padded signatures. As a |
| # result, the only practical solution for now is to disable RSA-PSS. Note that |
| # this isn't worse from what we did with the previous OpenSSL library version, |
| # since that didn't support PSS at all in the TLS code. |
| # |
| # The list below was obtained from the sigalg_lookup_tbl[] in ssl/t1_lib.c in |
| # the OpenSSL source code and listing everything that is not RSA-PSS. |
| ClientSignatureAlgorithms = RSA+SHA1:RSA+SHA224:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA1:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448 |
| |
| # TLS 1.3 no longer allows RSA with PKCS#1 padding. OpenSSL uses TLS 1.3 by |
| # default if possible, in which case we end up in a situation without a working |
| # RSA signature algorithm, so client authentication can't work. To work around |
| # this we only allow TLS 1.2 and below for now. |
| MaxProtocol = TLSv1.2 |
| |
| # Set the security level to 0 to match behavior of previous versions of |
| # OpenSSL. The default security level in newer versions is 1 (corresponding to |
| # 80 bits of security strength), which makes OpenSSL reject e.g. MD5. However, |
| # we have no comprehensive data on whether such weak crypto is still present in |
| # network configs in the wild (one would certainly hope that noone uses MD5 in |
| # 2020, but previous experience suggests otherwise). Thus for the purpose of |
| # removing this compatibility risk from the OpenSSL upgrade, we set the security |
| # level to 0 for now. |
| # |
| # Note that this doesn't weaken network setups configured with strong crypto - |
| # these configure CA certificates that use proper crypto and don't use weak |
| # crypto in certificate chains. Plus it'd be no worse than previous OpenSSL |
| # behavior anyways. |
| # |
| # We should still phase out support for inadequate crypto rather sooner than |
| # later, but that's a project of its own with a considerable timeline. |
| CipherString = DEFAULT:@SECLEVEL=0 |