IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client

Michael D'Errico <mike-list@pobox.com> Sat, 19 February 2011 09:43 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADB6C3A6FD6 for <tls@core3.amsl.com>; Sat, 19 Feb 2011 01:43:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.412
X-Spam-Level:
X-Spam-Status: No, score=-2.412 tagged_above=-999 required=5 tests=[AWL=-0.113, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MymdYHw8Z7w1 for <tls@core3.amsl.com>; Sat, 19 Feb 2011 01:43:57 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 707B93A6E5B for <tls@ietf.org>; Sat, 19 Feb 2011 01:43:56 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 0F6922D10; Sat, 19 Feb 2011 04:45:41 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=kKr3oyVOSsay C9Xi2+e3x8nmiPo=; b=tpXyIomWwzBzut8QHCbTngS3ux4ATJpAg91Tnb54Qv/x oKsp7eLR09GEwAkVxbuElQGYLMEkURZUGW0Qt5nJyTaAAv2P7ySCv35zlrXWsW9k nFhrZMa5qHng4x2TPbLt33En9CNi+IGhdLE+MIuBIomsGiFyju86SwgA3UYZpEk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=JrMT/4 Yv3HSE9+fgLAv0fL/DDTMRxKojrFSLI7fFTC1yiiS9e942CEf0l7GPpxyHXoqy0L kCoxwFFVnOQ2rXj9N3Z3LSvkBSs5Rzf5rYx2z+Z12lG1Mx7o/+bFu64E8SZ7u4lT MbGXO1al9Fn4nQLI1lHo0bVrCMwP79m7tGhss=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id EE5742D0F; Sat, 19 Feb 2011 04:45:39 -0500 (EST)
Received: from iMac.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id 39C582D0E; Sat, 19 Feb 2011 04:45:37 -0500 (EST)
Message-ID: <4D5F90FB.9010406@pobox.com>
Date: Sat, 19 Feb 2011 01:44:27 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: Juho Vähä-Herttua <juhovh@iki.fi>
References: <201102181928.p1IJSThD006475@fs4113.wdf.sap.corp> <7B07CE79-74A3-4CED-90E9-5910E67E90C7@iki.fi> <4D5F17B1.9030608@pobox.com> <450D2317-1125-4008-AC6C-CFDECA94C05C@iki.fi>
In-Reply-To: <450D2317-1125-4008-AC6C-CFDECA94C05C@iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
X-Pobox-Relay-ID: 02BDEA5C-3C0D-11E0-8271-AF401E47CF6F-38729857!a-pb-sasl-sd.pobox.com
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 09:43:58 -0000

Juho Vähä-Herttua wrote:
> On 19.2.2011, at 3.06, Michael D'Errico wrote:
>> The point of the signature_algorithms extension is to permit a graceful
>> upgrade of server certificates to using better than SHA-1 hash functions.
>> You couldn't just suddenly switch your server cert to one signed with
>> RSA/SHA-256 and expect every client to cope.  It would certainly cause
>> problems for some.
>>
>> To benefit from the extension, you would need to have two concurrent
>> server certificates: one signed with RSA/SHA-1, and another signed with
>> RSA/SHA-256.  Then based on the signature algorithms presented by the
>> client, your TLS code would choose the best one.
> 
> Yes, but even in this case I think it would make much more sense to have the requirement as SHOULD and not MUST. Because if all the server has is RSA/SHA-1 and the client is requesting RSA/SHA-256, I think it's much better that the server will continue with RSA/SHA-1 and then the client can fail if it doesn't like it. How does your implementation work by the way if the requested SHA/SHA-256 is not found? I expect you have a client implementation as well, does it check that all the server certificate signatures match the signature_algorithms extension sent in ClientHello and fail if not?

Originally I made the server lenient; if there was no suitable certificate
chain, then it would choose the "best" match and hope the client would
accept it.

But then I got a bug report from someone who suggested that the server
should abort the handshake if there isn't a perfect match.  Initially I
disagreed, but their logic makes sense: if the client was willing to
accept a certificate signed with RSA/SHA-1, then it would have included
that algorithm in the list.  Since it didn't (and in this case the client
only wanted ECDSA certificates which I don't support yet), it was causing
the client trouble.

I'm pretty sure my client code is still lenient, but it's been a while
since I looked at that part of it.

Mike




> I think it's ok to use signature_algorithms as a recommended list of algorithms and then fall back to locally configured preference if that is not found, worst case is that the handshake fails, but it would fail anyway if no suitable certificate is found... 
> 
> 
> Juho
>

v2.23.0 | Report a Bug | By Email