[Issue 10181] New: No support for setting allowed signature algorithms or groups/curves for OpenSSL TLS handshake
https://bugs.openldap.org/show_bug.cgi?id=10181
Issue ID: 10181 Summary: No support for setting allowed signature algorithms or groups/curves for OpenSSL TLS handshake Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: stephen.wall@redcom.com Target Milestone: ---
The list of LDAP_OPT_X_TLS_* constants does not include anything for setting allowed curves/groups (SSL_CTX_set1_groups_list()) or signature algorithms (SSL_CTX_set1_client_sigalgs_list(), SSL_CTX_set1_sigalgs_list()) for TLS handshakes.
Support for OpenSSL's SSL_CONF_cmd() et al. API would also be a nice addition.
https://bugs.openldap.org/show_bug.cgi?id=10181
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |WONTFIX
--- Comment #1 from Howard Chu hyc@openldap.org --- Supporting such APIs would be redundant with the functionality provided in openssl.cnf. There's no good reason for us to duplicate the entire OpenSSL config API, which is what would be necessary in order to explicitly expose its features to libldap callers.
https://bugs.openldap.org/show_bug.cgi?id=10181
--- Comment #2 from stephen.wall@redcom.com --- I'm afraid I don't understand your reasoning. There are configurations for setting the certificate/key, the cipher suites, DH parameters, and the mix/max protocol versions in OpenLDAP. Allowed groups/curves and signature algorithms are as much a part of the TLS setup as those settings, and are provided by many other software packages I've used.
While it's possible to configure all of those things globally in openssl.cnf, they can't be configured per service there unless those services are explicitly loading a section with a particular name when they initialize OpenSSL. Since I don't see OpenLDAP using that OpenSSL API, I am guessing it doesn't do that, making it impossible to set groups/curves and sigalgs for ldap without affecting the entire system.
https://bugs.openldap.org/show_bug.cgi?id=10181
--- Comment #3 from Howard Chu hyc@openldap.org --- You really believe there's a use case for a specific TLS-enabled service to use different signature algorithms or curves than every other service on a machine?
Setting the certificate/key is essential for a TLS-enabled service, and it's commonplace for an LDAP server to use different certs than other co-hosted services like web servers. It's not commonplace for every service to choose their own elliptic curve or to choose weaker signature algorithms than other services.
This ticket is closed.
https://bugs.openldap.org/show_bug.cgi?id=10181
--- Comment #4 from stephen.wall@redcom.com --- There are such use cases in my industry. A device on the border between red and black networks may well need different security levels on different network interfaces. Additionally, devices that normally run at a high security level, but are forced to interoperate with one old device that does not support them may need such capability. One could well apply your argument to cipher suites and protocol levels as well.
I will maintain local patches to supply the capabilities I need.
Otherwise, thank you for your efforts on this package.
https://bugs.openldap.org/show_bug.cgi?id=10181
--- Comment #5 from Howard Chu hyc@openldap.org --- Since the path to the openssl.cnf file can be set using the OPENSSL_CONF environment variable, you can already do per-service settings if you want.
https://bugs.openldap.org/show_bug.cgi?id=10181
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Keywords|needs_review |
-
openldap-its@openldap.org