Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 March 2017 14:39 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3D21296D2 for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 07:39:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fdjzdbgifhnt for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 07:39:07 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B90712967F for <tls@ietf.org>; Thu, 23 Mar 2017 07:39:07 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 152E87A32F1 for <tls@ietf.org>; Thu, 23 Mar 2017 14:39:06 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net>
Date: Thu, 23 Mar 2017 10:39:05 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <4DD1F233-D659-4F79-9ADA-BC31A49DA653@dukhovni.org>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C3i5M2IbOPPiCWr8GwcyB_DRZsY>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 14:39:10 -0000
> On Mar 23, 2017, at 10:31 AM, Fries, Steffen <steffen.fries@siemens.com> wrote: > > According to TLS 1.2 section 7.4.1.4.1. a client may use the > signature_algorithm extension to signal any combinations the > client supports, listed in the order of preferences. The signature algorithm is primarily about signatures made as part of the TLS handshake, and not so much signatures in certificates. > If the client does not use this extension, the server must use the > signature algorithm in combination with SHA1. For signing the TLS key exchange, however, it should still present whatever certificate chain it has, even if that chain employs SHA256. It is exceedingly unlikely these days that a client will not support SHA256 signatures in the certificate chain. > This may lead to an error on the client side when validating the > certificate. You really should not even deploy SHA1 certificates these days, though some sites are still using their legacy SHA1 certificates that have not yet expired. > Unfortunately the server is not allowed to use this extension, otherwise > he could tell the client his preferences according to his security policy. The protocol (as it should) lacks the additional round-trips necessary for the server to initiate signature algorithm negotiation. > Is there a standard compliant way to utilize SHA256 based certificates on > the server side even when a client does not signal additional signature > algorithms? Yes, just use them regardless of the client's signature algorithm extension. See the TLS 1.3 draft for improved language about the interaction of signature algorithms and certificates. -- Viktor.
- [TLS] Enforcing stronger server side signature/ha… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Viktor Dukhovni
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Andrei Popov
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Andrei Popov
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Peter Gutmann
- Re: [TLS] Enforcing stronger server side signatur… Peter Gutmann
- Re: [TLS] Enforcing stronger server side signatur… Viktor Dukhovni
- Re: [TLS] Enforcing stronger server side signatur… Martin Thomson
- Re: [TLS] Enforcing stronger server side signatur… Viktor Dukhovni
- Re: [TLS] Enforcing stronger server side signatur… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Salz, Rich
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Ryan Sleevi
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Ryan Sleevi
- Re: [TLS] Enforcing stronger server side signatur… Michael StJohns
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla