openssl server with falcon certificate error: ca md too weak #74

Dechen2333 · 2022-10-14T11:32:26Z

Dechen2333
Oct 14, 2022

Hello,

I want to test if a openssl server with the oqsprovider works with a PQC certification:

First, generate CA selfsigned falcon key:
openssl req -x509 -new -newkey falcon1024 -keyout falcon1024_CA.key -out falcon1024_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -provider oqsprovider -provider default

Then, generate a server falcon key and certification request:
openssl req -new -newkey falcon1024 -keyout falcon1024_srv.key -out falcon1024_srv.csr -subj "/CN=oqstest server" -provider oqsprovider -provider default

Then, sign it with the CA's key:
openssl x509 -req -in falcon1024_srv.csr -out falcon1024_srv.crt -CA falcon1024_CA.crt -CAkey falcon1024_CA.key -CAcreateserial -days 365 -provider oqsprovider -provider default

Last, open server with:
openssl s_server -cert falcon1024_srv.crt -key falcon1024_srv.key -www -tls1_3 -provider default -provider oqsprovider

I got
Using default temp DH parameters
error setting certificate
00C18FC6467F0000:error:0A00018E:SSL routines:SSL_CTX_use_certificate:ca md too weak:ssl/ssl_rsa.c:224:

Version OpenSSL 3.1.0-dev,
Provider Info:
oqsprovider
name: OpenSSL OQS Provider
version: 0.4.0-dev
status: active
build info: OQS Provider v.0.4.0-dev based on liboqs v.0.7.3-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)

I've also tried with dilithium3 or 5 and the same error occurred.

Answered by baentsch

Oct 30, 2022

@Dechen2333 FYI, there's now a ready-to-run docker image allowing you to do all you want above: See https://github.com/open-quantum-safe/oqs-provider/wiki/Interoperability#ietf-115-hackathon. If OK, please also mark the question answered.

View full answer

baentsch · 2022-10-14T12:16:01Z

baentsch
Oct 14, 2022
Maintainer

This is an expected error as the last command above is (trying to) use a feature that has not yet been integrated into OpenSSL: Pluggable TLS signature algorithms will only work as and when openssl/openssl#10512 has been resolved. Also note that the required provider code is only available in oqsprovider v0.5.0-dev and later.

If you want to try it out you'd need to build the latest oqsprovider code and openssl from https://github.com/baentsch/openssl.git, checked out to branch "sigload" : That is the code underlying openssl/openssl#19312 .

0 replies

baentsch · 2022-10-30T12:16:44Z

baentsch
Oct 30, 2022
Maintainer

@Dechen2333 FYI, there's now a ready-to-run docker image allowing you to do all you want above: See https://github.com/open-quantum-safe/oqs-provider/wiki/Interoperability#ietf-115-hackathon. If OK, please also mark the question answered.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

openssl server with falcon certificate error: ca md too weak #74

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

openssl server with falcon certificate error: ca md too weak #74

Dechen2333 Oct 14, 2022

Replies: 2 comments

baentsch Oct 14, 2022 Maintainer

baentsch Oct 30, 2022 Maintainer

Dechen2333
Oct 14, 2022

baentsch
Oct 14, 2022
Maintainer

baentsch
Oct 30, 2022
Maintainer