> From: dthomp...@prinpay.com
> To: openssl-users@openssl.org
> Subject: RE: Using self-signed certificates with openssl
> Date: Fri, 13 May 2011 22:06:55 -0400
>
> > From: owner-openssl-us...@openssl.org On Behalf Of Roger No-Spam
> > Sent: Friday, 13 May, 2011 04:15
>
> > We have decided to use openssl to protect a connection in our system
>
> > with TLS. Clients will be authenticated using X509 certificates. To cut
> > a long story short, a decision has been taken to use self-signed
> certificates.
> > On the server, each client's self-signed cert will be loaded by a call to
> > SSL_CTX_load_verify_locations(). This is pretty much working as expected,
>
> To be exact: you can't be doing "a" load_verify_locations for each of
> multiple certs -- unless you do it dynamically one per SSL_accept().
> To statically accept multiple certs, you can put them all in one file,
> or in one directory with hashlinks (or hashnames), and use that file
> or that directory (or possibly one of each) for load_verify_locations.
>
We put all client's certs in one file, that is loaded by a call to
SSL_CTX_load_verify_locations().
> > apart from one thing. If we modify the client's private key (modified a
> bit
> > in the privateExponent), the TLS connection is still successfully
> established.
> > I had expected the signature verification (certificate verify message)
> > of the handshake to fail in this case.
> >
> > Are there any gotchas with self-signed certs? Or is there something
> else
> > we have missed that explains why the signature verification is successful
> > with the modified key?
>
> It's not the cert; the same thing happens with just keys in rsautl.
>
> OpenSSL normally stores and uses RSA privatekey in Chinese Remainder Theorem
>
> format, which is quite a bit faster. If you damage only the privateExponent
> 'd' it doesn't affect the private key operation. If you damage a CRT
> component
> it (silently!) falls back to modexp-d instead, so if you damage *both* a CRT
>
> component *and* d *then* you get a bad signature, and a handshake failure.
> I *think* this works for any bit in any CRT component, but I didn't try to
> work out the math (and certainly didn't test completely).
>
Thanks, that explains it!
> What is your threat (model) here? If an attacker can get at your clear
> privatekey file, I can't imagine why they would only flip one bit; and
> if they can get at an encrypted privatekey file, any tampering including
> a bit flip should be detected and refuse to load the key at all.
>
This was just something I quickly did as informal testing, to trigger a
signature validation failure. It is not a valid test case. But the result had
me worried that I had misunderstood how self-signed certs can be used in
openssl. But I think everything is explained now. Thanks for your help.
Regards Roger
