Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

David Benjamin <davidben@chromium.org> Fri, 05 February 2016 20:08 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0B81ACDA9 for <tls@ietfa.amsl.com>; Fri, 5 Feb 2016 12:08:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EA3L-zB-UZHr for <tls@ietfa.amsl.com>; Fri, 5 Feb 2016 12:08:00 -0800 (PST)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 068361ACCDC for <tls@ietf.org>; Fri, 5 Feb 2016 12:07:59 -0800 (PST)
Received: by mail-io0-x231.google.com with SMTP id d63so140566949ioj.2 for <tls@ietf.org>; Fri, 05 Feb 2016 12:07:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=/59UuUf+fzwD29340lEYgCwndCc/rExtFF1bYTRivO4=; b=cxH8nPz4H9pH4gtQzW8Qlm+3uqWX+5dWZLP4MLv1aB2R2HhaAs+nd1IgIFOPEnTWbm OloJfDoio3FD3uKV1dcEMB14bxSRXjGlzt6AmRLVbvx3Ha+SIGYv223qAX8cpGeuc68i de1+ZSQs62k+89HggRGQpYoN/WXPcC1ox8FBc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=/59UuUf+fzwD29340lEYgCwndCc/rExtFF1bYTRivO4=; b=DPUOnWh0FtpJUlry+Tk4Mgri/MWvtNo7kJL+3u/auqazr+V3DjHA67dXglu5f0hDa9 qHpbba73klnTrP3dzKlH050s9Dc+MbPqQG2ge6FR7TvqtBwdCqyu2XDp0vuTzJqM81bn yxRJKu1zCTouSztbTEnjkSSKMRkZF0LRXd85rpXkdgdzopHX4sj5KNVzxpKWlayBwxAb NyJY+hJN+O1Z2S1tFlxYQX0UZ3gy0zRXUMUZM7a8TUdaikZKM2DFAXGbGXA1fKUFHN5F Vf5fC8Ob78kfYEgjP6RxGdqdeGSolgXzQ/yiy2x0uE6xdV7Dm+vUi7t3YSCbVOGFidSn noZg==
X-Gm-Message-State: AG10YOQYosI4yf4tMNZk/S+9d77EK4E+ZfC28o2qC8ProYWcD+43ypeBY2KJkPtBCC+g2pEvhEf3PARzNYgPYgKP
X-Received: by 10.107.9.154 with SMTP id 26mr19845278ioj.62.1454702878982; Fri, 05 Feb 2016 12:07:58 -0800 (PST)
MIME-Version: 1.0
References: <20160111183017.GA12243@roeckx.be> <CAF8qwaC-u-8HCTFegx+yhwSQibrrPULX0i6UaopfQrzaMS7gew@mail.gmail.com>
In-Reply-To: <CAF8qwaC-u-8HCTFegx+yhwSQibrrPULX0i6UaopfQrzaMS7gew@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 05 Feb 2016 20:07:49 +0000
Message-ID: <CAF8qwaD63QYqHxAUmsYCfvMGFmF5mji3TqQ-=xodMpZs_5TknA@mail.gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>, tls@ietf.org
Content-Type: multipart/alternative; boundary=001a113ea2b65b63f6052b0b6828
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C337GnMy9OxrxmO5COTy_121Ar8>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 20:08:02 -0000

On Mon, Jan 11, 2016 at 6:17 PM David Benjamin <davidben@chromium.org>;
wrote:

> In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing
> around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and
> it's likely that enterprise deployments are much worse.
>
> I started gathering numbers on ServerKeyExchange hashes back in November.
> The code isn't on Chrome's stable channel yet, but earlier channels say a
> bit over 5% of ServerKeyExchanges are signed with SHA-1, which is also
> quite high.
>
> I also started probing servers in November and observed:
> (a) Servers which always sign SHA-1.
>

Lest anyone get their hopes up, it turns out OpenSSL-based servers before
1.0.1j that use SNI (specifically those that call SSL_set_SSL_CTX in the
SNI callback) ignore the signature_algorithms extension and only sign
SHA-1. We'll be stuck with this one for a long while. 1.0.1j was only
released 2014-10-15, and Linux distributions tend to be on older versions
with backported security fixes to say nothing of folks that don't update at
all.
https://rt.openssl.org/Ticket/Display.html?id=3560

David


> (b) Servers which sign SHA-1 *unless* signature_algorithms omits it. Then
> they sign SHA-256!?!!?
> (c) Servers which sign SHA-2 but fail if signature_algorithms omits SHA-1.
> The ones I looked at were all from serving SHA-1 certificates, so probably
> their SSL stack compares certs against sig_algs.
>
> (b) and (c) mean that getting a sense of the true impact will be
> complicated until we finish getting SHA-1 certificates out of our system. I
> have not dug into what's going on with groups (a) and (b) yet.
>
> This all is not to say we shouldn't phase these out. But I do not expect
> it to be a speedy process for browsers.
>
> David
>
> On Mon, Jan 11, 2016 at 1:30 PM Kurt Roeckx <kurt@roeckx.be>; wrote:
>
>> Hi,
>>
>> After the SLOTH paper, we should think about starting to deprecate
>> TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS
>> 1.2.
>>
>> As I understand it, they estimate that both TLS 1.2 with SHA1 and
>> TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be
>> broken.  They all depend on the chosen prefix collision on SHA1,
>> with the MD5 part in TLS 1.0 and 1.1 not adding much.
>>
>> It seems that disabling SHA1 in TLS 1.2 doesn't buy you anything
>> unless you also disable TLS 1.0 and 1.1.
>>
>>
>> Kurt
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>