IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Eric Rescorla <ekr@rtfm.com> Thu, 23 March 2017 18:26 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97345129B5D for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 11:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ4PBzpIpJOb for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 11:26:23 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81D471294C4 for <tls@ietf.org>; Thu, 23 Mar 2017 11:26:23 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id p77so152679379ywg.1 for <tls@ietf.org>; Thu, 23 Mar 2017 11:26:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=f8Dg7/24quBKJeZPHSTUqGbA2+RJJRnRXADHKb24wSU=; b=NT8HYN3iHhyiPmen1E1/3agnpBR5105IljU3h143fntjpYNyKPzvzLq8ZdCW2CExzO hR4Wz1viVcS56TPshUi0rZ29WPt9xSLFEbeecGSaa75U8XJtuXFxPNaUyw7Bw1ouDX+d 8uK5HUBBzIlF7hm7a8qfRlIiDjbC5Gj2L+w3cKfEVMJjovYhMA3gDhlKa1HTcjvhTjLl nYm/tG5JFWYsLX1KjoDbzmQ3ZlkGhScek817XKZQMHqqj8VFuRpA9Oo0cp0b6KJB0lLn yVplacbCqESa1a8Xe1CuzLvl/21NudDM11i94F6Yp+uToEVbRIKPo8hzzgR2nAgsoxk+ 9RBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=f8Dg7/24quBKJeZPHSTUqGbA2+RJJRnRXADHKb24wSU=; b=P1552VJbth+zEcjai90yu/HtEWdAwztxYCVMMfXEGGFsKr6GX5Flg1hBvu/VEVb4So xjS+hiyUEedxBYPX2EJunFAmGij0EygJIfBTiOvXqtqr2HWATMnGnd+t1kYtl22fupff RttP51VHtl3QpUYZmZyH6OxPSSg4PMmVpphS124K9oYotYYKAIEG8+JJmekfOovY+m8K A6lj7g/sx7ScvU+RTnqI1m2LymX0HJBvuJglfKFZTS+abcGWlthgQlanU43hUeLkZQOY j2rkUOgVvZE3TmmFNs8s5K5cfq+dG3ArkLmLIUGNFT4Ce4qIVIrmmp0L5sZlBd7CwFTR 9h3w==
X-Gm-Message-State: AFeK/H2ddQ8joRqkFE5upU5JzDNcxOQnkfKpEd1KnLWEDognVlgu5p7vGpPL3+RaBNzrONQZCM1tGyLAp5Q+rQ==
X-Received: by 10.37.201.196 with SMTP id z187mr2849970ybf.161.1490293582729; Thu, 23 Mar 2017 11:26:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Thu, 23 Mar 2017 11:25:42 -0700 (PDT)
In-Reply-To: <20170323172437.B250C1A65A@ld9781.wdf.sap.corp>
References: <CABcZeBPfHWJDPWqtb9HcOi1714NF_xhQtLD1MwybAawgm_Xx5g@mail.gmail.com> <20170323172437.B250C1A65A@ld9781.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 23 Mar 2017 11:25:42 -0700
Message-ID: <CABcZeBOxuocWWddep8CNrSm8bvO-=E3g_C2PCJFx5kkYw2cWAQ@mail.gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Cc: "Fries, Steffen" <steffen.fries@siemens.com>, TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114d88ea9c2bc3054b6a0308"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/87m6nmJ8vEAC9jcVwYplPwN-Hcg>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 18:26:26 -0000

On Thu, Mar 23, 2017 at 10:24 AM, Martin Rex <mrex@sap.com> wrote:

> Eric Rescorla wrote:
> >>
> >> based on your reply my conclusion is that
> >>
> >> -          there is no (standard compliant) way for a server to use a
> >> SHA256 based certificate for server side authentication in cases where
> the
> >> client does not provide the signature_algorithm extension
> >
> > Not quite. If the client offers TLS 1.1 or below, then you simply don't
> > know if it
> > will accept SHA-256 and you should send whatever you have. If the client
> > offers
> > TLS 1.2 and no signature_algorithm extension, then you technically are
> > forbidden
> > from sending it a SHA-256 certificate. Note that any client which in fact
> > supports
> > SHA-256 with TLS 1.2 but doesn't send signature_algorithms containing it,
> > is noncomformant. It's not clear to me how many such clients in fact
> exist.
>
> rfc5246 makes it perfectly compliant for a TLSv1.2 client to support
> sha256-based signature algorithms and be willing to use them,
> and *NOT* send the TLS signature_algorithm extension.
>
> https://tools.ietf.org/html/rfc5246#appendix-E.2


Yes, I agree with this, if you use the v2 ClIENT-HELLO.

-Ekr

> -    clients should always use the signature algorithm extension to
> >> ensure the server can apply a certificate with the appropriate crypt
> >> algorithms
>
> Except that the vast majority of servers only has a single certificate,
> and will have to do "the right thing" in most situations anyway.
> The definition of the "signature_algorithms" extensions is
> sufficiently dense to say that you MUST not send it, except when
> ClientHello.client_version=(3,3), and it is not possible to send it
> when using a backwards-compatible SSL version 2 CLIENT-HELLO.
>
>
> -Martin
>

v2.23.0 | Report a Bug | By Email