IETF Logo Mail Archive

Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

Nikos Mavrogiannopoulos <nmav@redhat.com> Thu, 15 November 2018 15:48 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3359A130DCF for <tls@ietfa.amsl.com>; Thu, 15 Nov 2018 07:48:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPQDdcryg45j for <tls@ietfa.amsl.com>; Thu, 15 Nov 2018 07:48:36 -0800 (PST)
Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 955DB12D4EF for <tls@ietf.org>; Thu, 15 Nov 2018 07:48:35 -0800 (PST)
Received: by mail-wr1-f46.google.com with SMTP id v18-v6so21722914wrt.8 for <tls@ietf.org>; Thu, 15 Nov 2018 07:48:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=6CbG8lDdo+qq9Mlrd04EZVC9UWMD5Q+5eV6+QS3uwnY=; b=lwDZWYsqSZh68moVNiD2wuz1XA0YKlodQVt8wfouycLNLXk/QUiB2nOotBon6miMqO kQ62mb/D4/jmCPxxJ8qkPIEtHC+Z6/qClLAKKNTXvppT5qXwk1xOSu/YYiKg1ulI/3Ge tE+RqgJo6ekLaymbkIE9MfKq9Kh8PWwGC1YtpL7Tp4gdbl/PTFbrdI+cvsOCPxM+Pfd8 UUS3Mta5yVGtBQHUchfnAiL3RIptVUC7ugGIbqlcy1RAvO+RgpxsNUVRAwUg/IXWxymL bWvWS1eDNRyS6R48CJlUnbUpT4FSzcIcNMfDuddehW3vU4yyjEh68t+Ui0EZbegsQ+He QWWA==
X-Gm-Message-State: AA+aEWYZ4+PWoYwKg4ZUAJurW4dR9EKlGfRtps4GWWOR6Q1E+c/9IAtv CrPLmnPtAH6uJYCtfUQiV8uxKu1UQWA=
X-Google-Smtp-Source: AFSGD/WEoHgBg4pq51R25rcOKdQBduHIk0tqNjE4krk0zP7lvRd6F26FSBua+aZoEIb2+o4s+Yt+/A==
X-Received: by 2002:a5d:494a:: with SMTP id r10mr4121966wrs.272.1542296913738; Thu, 15 Nov 2018 07:48:33 -0800 (PST)
Received: from localhost.localdomain (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id z17sm3116197wrv.2.2018.11.15.07.48.32 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 15 Nov 2018 07:48:33 -0800 (PST)
Message-ID: <2cff4a401f0d45ce78495ce13d8898568bb9090c.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: tls@ietf.org
Date: Thu, 15 Nov 2018 16:48:32 +0100
In-Reply-To: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org>
References: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.2 (3.30.2-2.fc29)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1DV2vpDkKSLhcOCZTzJE-TV5oq8>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 15:48:38 -0000

On Mon, 2018-11-05 at 21:24 -0500, Viktor Dukhovni wrote:
> TL;DR:  Should TLS client abort DHE-RSA handshakes with a peer
> certificate that *only* lists:
> 
>             X509v3 Key Usage: 
>                 Key Encipherment, Data Encipherment
> 
> (which one might take to mean that only RSA key exchange is allowed,
> and DHE-RSA is not, for lack of the DigitalSignature bit?
> 
> [ In the unlikely case it matters, the record the certificate
>   in question is self-signed, and has a DANE TLSA "3 0 1" record. ]
> 
> -- Background:
> 
> I am somewhat sympathetic to forbidding RSA key exchange when
> "Key Encipherment" is not listed, in order to reduce the risk of
> Bleichenbacher-type attacks, but it is not obvious at first blush
> why one might the converse restriction...
> 
> The reason I ask is that the Haskell TLS library has recently added
> enforcement in both directions, and I am finding some SMTP servers
> with whose STARTTLS implementation my DANE scan engine no longer
> interoperates.
> 
> And yet, FWIW, OpenSSL 1.1.1 continues to connect just fine.  Is
> this an oversight in OpenSSL?  Overly strict enforcement in Haskell's
> Network.TLS?

gnutls has been enforcing that rule for quite some time. That had
generated quite some bug reports from application developers in the
past. The main argument was, but other implementations work.
Nevertheless the last few years the trend has changed and I think that
strictness is not only tolerated by developers/end-users but actually
promoted. That's only my impression though.

regards,
Nikos

v2.23.0 | Report a Bug | By Email