[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: x509 AlgorithmIdentifier parameters

From: Thomas Singer <thomas.singer_at_syntevo.com>
Date: Thu, 8 Feb 2018 14:57:49 +0100

Hi Philip,

Thank you for your effort in analyzing this bug and finding work-arounds
or fixes.

We are using a magic script to build all subversion dependencies, e.g.
openssl-1.0.2 and cyrus-sasl-2.1.26. I've used the master branch from
<https://github.com/openssl/openssl> for compiling (~163MB for the
master vs. ~24MB for version 1.0.2) which seems to have compiled fine,
but unfortunately the cyrus-sasl-2.1.26 fails to build. Without actually
understanding what happens there under the hood, I'm a little bit lost.
Should cyrus-sasl also be updated to be compatible with the openssl master?

--
Best regards,
Thomas Singer
=============
syntevo GmbH
http://www.syntevo.com
http://www.syntevo.com/blog
On 2018-02-03 22:40, Philip Martin wrote:
> Philip Martin <philip_at_codematters.co.uk> writes:
> 
>> A client using openssl 1.0 will connect to a server serving the
>> RSASSA-PSS cert.  Clients using openssl 1.1 fail to verify cert.  The
>> underlying openssl 1.1 error appears to be
>>
>>    $ openssl s_client -connect localhost:8887 -CAfile apache2/ssl/ca-cert.pem
>>    ...
>>    Verify return code: 68 (CA signature digest algorithm too weak)
>>
>> This suggests that RSASSA-PSS is obsolete, but as I mentioned earlier in
>> the thread there are recent changes to the openssl project
>> adding/extending RSASSA-PSS support as part of TLS 1.3:
> 
> I built openssl trunk (1.1.1-dev) and it is able to verify the cert:
> 
>     $ LD_LIBRARY_PATH=/usr/local/openssl/lib /usr/local/openssl/bin/openssl s_client -connect localhost:8887 -CAfile=apache2/ssl/ca-cert.pem
>     ...
>     Verify return code: 0 (ok)
> 
> This is exactly the same server and cert that cause openssl 1.1 to fail.
> 
Received on 2018-02-08 14:58:10 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.