Add additional no-op symbols for support mySQL #1002
Conversation
| @@ -4886,6 +4886,11 @@ OPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str); | |||
| // more convenient to codesearch for specific algorithm values. | |||
| OPENSSL_EXPORT int SSL_set1_sigalgs_list(SSL *ssl, const char *str); | |||
|
|
|||
| // SSL_CTX_get_security_level returns 3. This is only to maintain compatibility | |||
There was a problem hiding this comment.
Do all of our SSL configurations meet OpenSSL's definition of level 3 security?
There was a problem hiding this comment.
Yeah I was on the edge on documenting this, but I was worried that entire description might make things a bit bloated. Here's what OpenSSL's definition of level 2 and 3 is:
Level 2
Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.
Level 3
Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. In addition to the level 2 exclusions cipher suites not offering forward secrecy are prohibited. TLS versions below 1.1 are not permitted. Session tickets are disabled.
We only support 128 bits of security, but we don't seem to prohibit session tickets and TLS 1.0 like Level 3 states. But reporting Level 2 seems to be even more out of line since we don't support 112 bits.
There was a problem hiding this comment.
I've already stated that no security assumptions should be based on the number this function returns. But should I add documentation that we return 3 because we only support 128 bits of security, but we don't prohibit session tickets and TLS 1.0 like OpenSSL states?
There was a problem hiding this comment.
I like the extra clarity. The question remains what if someone configs a connection with 256 bit cipher suites and expects this function to return 5 for them?
There was a problem hiding this comment.
I think this function only returns the "current security level" of the library. It seems to be based on how the library is configured, instead of per connection. Per the documentation:
The default security level changes when OpenSSL is compiled by
DOPENSSL_TLS_SECURITY_LEVEL=level...
Or when setting the security level with "The functions SSL_CTX_set_security_level() and SSL_set_security_level() set the security level to level. If not set the library default security level is used."
We don't support setting security levels this way yet, so I think 3 is the most suitable number to return for our existing cipher suites now. But your question does address that we'll have to change this behavior once we get an ask to support actual "security_level" setting in AWS-LC.
There was a problem hiding this comment.
Thanks, that clears this up, I agree 3 makes sense.
samuel40791765
force-pushed
the
mysql-symbols
branch
from
c3f63d4 to
19f7c79
Compare
|
Doesn't OpenSSL's security level 3 prohibit using RSA 2048 (112 bits of security), which AWS-LC allows? Shouldn't this return security level 2 instead? |
Thanks for pointing this out! After some internal discussion, it does seem like this was a misunderstanding on my end. I'll put up a PR to lower the returned security level to 2 instead, since our default features do align with 2 better. |
A contributor pointed out that our default SSL settings don't quite align with OpenSSL's definition for different security levels. * #1002 (comment) I've lowered the return number for `SSL_CTX_get_security_level`, but this function is still only for compatibility purposes.
Issues:
Resolves
CryptoAlg-1726Description of changes:
1. CONF_modules_unload
mySQL consumes the
CONF_modules_unloadAPI when building with OpenSSL1.1.1/AWS-LC.CONF_modules_unloadis used to finish and unload configuration modules in OpenSSL, but AWS-LC doesn't use the same configuration module logic. TheConf_modules_*family of functions in AWS-LC are all no-op functions, so we follow the same pattern here.2. SSL_CTX_get_security_level
mySQL consumes the
SSL_CTX_get_security_levelAPI. The definition of security levels is defined here in OpenSSL's documentation: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.htmlWe should only be using
SSL_CTX_get_security_levelto retrieve a security level number. Actually usingSSL_CTX_set_security_levelto configure security levels in AWS-LC is not supported. I've set the returned number to 3, since we only support cipher suites that are at least 128 bits in security.Call-outs:
The additional header file is to get around an expectation that the
FIPS_modefunction can be called fromerr.h.Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.