Lower OpenSSL security level to 0 and update documentation

Issue: droe#248
virtueistheonlygood · Aug 4, 2019 · 8ddd9cf · 8ddd9cf
1 parent 2398bca
commit 8ddd9cf
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 11 deletions.
diff --git a/defaults.h b/defaults.h
@@ -72,13 +72,23 @@
 /*
  * Default leaf key RSA keysize in bits.
  *
- * While browsers still generally accept it, use a leaf key size of 1024 bit
- * for leaf keys.  When browsers start to sunset 1024 bit RSA in leaf keys, we
- * will need to make this value bigger, and/or configurable.
- * Until then, users who want a different size can always use their own
- * pre-generated leaf key instead of generating one automatically.
- * OpenSSL security level of 2+ does not accept key size of 1024 bits, giving 
- * a "key too small" error while loading forged cert into SSL ctx.
+ * While implementations still generally accepted leaf keys of 1024 bits in
+ * size, we used 1024 for leaf keys.  As implementations are starting to sunset
+ * 1024 bit RSA not only for CA keys, but also for leaf keys, we now use a 2048
+ * bit key size for the leaf cert key in order to maximize interoperability in
+ * default config.
+ *
+ * Users who want a different size, for example 1024 bit RSA for performance,
+ * can always use their own pre-generated leaf key using the -K option instead
+ * of generating one automatically.
+ *
+ * Refer to the following resources on key sizes accepted by different
+ * implementations.  Note that OpenSSL security level restrictions potentially
+ * apply to both sslsplit and all of the clients and servers using OpenSSL.
+ *
+ * OpenSSL:
+ * https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html
+ * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html
  */
 #define DFLT_LEAFKEY_RSABITS 2048
 

diff --git a/pxyconn.c b/pxyconn.c
@@ -728,9 +728,17 @@ pxy_sslctx_setoptions(SSL_CTX *sslctx, pxy_conn_ctx_t *ctx)
 	SSL_CTX_set_cipher_list(sslctx, ctx->opts->ciphers);
 
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-	/* If the security level of OpenSSL is set to 2+ in system configuration, 
-	 * our forged certificates with 1024-bit RSA key size will be rejected */
-	SSL_CTX_set_security_level(sslctx, 1);
+	/*
+	 * For maximum interoperability, force the security level to 0, meaning
+	 * all algorithms are permitted.  If we don't set the security level,
+	 * the level is taken from OpenSSL system configuration or library
+	 * compile-time defaults.  Security levels above 0 will reject weak
+	 * algorithms and key sizes both locally at load time and when they are
+	 * encountered from peers we receive connections from or connect to.
+	 * Specifically, our prevous default RSA leaf key size of 1024 bits
+	 * was rejected by a security level of 2 or higher (issue #248).
+	 */
+	SSL_CTX_set_security_level(sslctx, 0);
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 }
 

diff --git a/sslsplit.1.in b/sslsplit.1.in
@@ -216,7 +216,7 @@ no matching certificate in the provided certificate directory.
 .TP
 .B \-K \fIpemfile\fP
 Use private key from \fIpemfile\fP for the leaf certificates forged on-the-fly.
-If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key.
+If \fB-K\fP is not given, SSLsplit will generate a random 2048 bit RSA key.
 .TP
 .B \-l \fIlogfile\fP
 Log connections to \fIlogfile\fP in a single line per connection format,