IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 11 July 2015 19:00 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 204C61A886E for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 12:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mFs2qBAHQSTg for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 12:00:50 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 354541A8879 for <tls@ietf.org>; Sat, 11 Jul 2015 12:00:47 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 56BA4284D6A; Sat, 11 Jul 2015 19:00:40 +0000 (UTC)
Date: Sat, 11 Jul 2015 19:00:40 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150711190040.GS28047@mournblade.imrryr.org>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <CABcZeBO2k230mP+qpP+Mfr3ee9tsvWe6BOcAgCtYxj3=PzOZPg@mail.gmail.com> <20150711151729.GO28047@mournblade.imrryr.org> <201507111432.29731.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201507111432.29731.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0952KDU22qzkA0hjwdIk2fXTXd4>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 19:00:53 -0000

On Sat, Jul 11, 2015 at 02:32:29PM -0400, Dave Garrett wrote:

> > Correct.  It is important to try to match a supported algorithm,
> > but failing that, send what you have.  It may well work just fine
> > for the client, since the signatures in question are not made in
> > real-time by the server, but rather at some previous time by some
> > CA, which the client may not care about (pinned leaf cert, DANE
> > leaf cert, opportunistic TLS, ...).
> > 
> > And the point about debugging also makes sense.  The client
> > administrator can much more easily determine which additional
> > algorithm is required to interoperate with the server.
> 
> Ok, draft language for new behavior here:

[ Reordered, feedback question before draft language ]

> Sound viable?
> 
> (this might be a bit too wordy, though; the wording throughout the document
> about fatal alerts could probably be simplified a bit)

Not really viable, and yes, much too wordy and not quite right:

> ==============================
> If a server receives a ClientHello, but the server cannot produce a valid
> end-entity certificate using the hash/signature pairs known to be supported by
> the client (via this extension or the defaults assumed in its absence),
> then the server MUST send an "unsupported_certificate" alert message and
> close the connection.

The signature of the leaf certificate is just as irrelevant as
signatures up the chain.  With pinned leaf certificates, DANE-EE(3),
opportunistic TLS, ... even the leaf (end-entity) certificate
signature algorithm is of no consequence and is ignored by the
client.

Therefore, this qualification is not needed, and the server SHOULD
NOT send any alert or close the connection even when the client's
supported signature algorithms do not include the signature algorithm
used for some certificate in the chain (regardless of depth).
Instead the server MUST send whatever chain it has whose leaf public
key is compatible with the agreed cipher-suite.  (The server of course
chooses the agreed cipher-suite to make the last condition true). 

If at all possible, the server SHOULD choose a chain all of whose
signatures (excluding any self-signed root CAs) match the client's
signature algorith list.  If that's not possible, it SHOULD send
a default chain (often the only chain it has) with a compatible
public key.

[ Of course, perhaps worth mentioning, none of this applies with
RFC 7250 raw-public-keys, because there is no chain or signatures
to send, the server just sends its SPKI public key per RFC 7250. ]

> In the event that a server can produce a valid end-entity
> certificate known to be supported by the client, however the known supported
> hash/signature pairs are insufficient to produce a known valid certificate
> chain, the server is RECOMMENDED to send a complete valid certificate chain
> which attempts to use supported hash/signature pairs where possible yet
> includes certificates with unknown client support.

As above: s/RECOMMENDED/SHOULD/.  It is NOT up to the server to decide
which chains the client can accept.  The server has insufficient
information, and therefore SHOULD NOT preempt the client's decision
of whether the chain works or not.

> If the client cannot build
> a trusted chain using these certificates and any other trusted information it
> has access to, then it MUST send an "unsupported_certificate" alert message
> and close the connection.

If the client chooses to authenticate the server's chain (i.e.
not unauthenticated opportunistic TLS) and fails to do so because
it does not support  the signature algorithm in one or more
certificates that are needed for said authentication, then it
MUST send ...

> The server MAY instead choose to simply send an
> "unsupported_certificate" alert message and close the connection.

No, the server SHOULD NOT preempt the client's decision.  I'd
personally prefer MUST NOT, but there are arguably servers whose
clients are all known to never use trust on first use certificate
pinning, DANE, unauthenticated opportunistic TLS, ...

If we need to weasel out and give some servers the choice to lock
out all clients that do anything remotely unorthodox, then SHOULD
NOT provides some rope.  I think such weaseling out is likely to
do more harm than good, but I'm open to concede the rope if need
be.

On the public Internet, such servers will be few and far between,
and the choice to preempt the client should not be a default choice
made by the TLS library.  If some particular application wants to
limit client support, that choice needs to be explicitly signalled
to the TLS library.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email