Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

[Hubert Kario <hkario@redhat.com>]

On Wednesday 08 July 2015 13:50:39 Dave Garrett wrote:
> On Wednesday, July 08, 2015 01:45:49 pm Martin Rex wrote:
> > Unfortunately, a non-marginal installed base is exhibiting this
> > self-imposed (mis)behaviour of connection failure: Microsoft SChannel
> > beginning with Windows 7 / 2008R2 (aka WinNT 6.1), and Windows 8 / 2012
> > and
> > Windows 8.1 / 2012R2 exhibit the same (mis)behaviour.
> > 
> > When you install a server certificate with a sha256WithRsaEncryption
> > signature on a Microsoft IIS on one of these platforms, enable TLSv1.2 on
> > the server and try to connect with an extension-free ClientHello that
> > offers
> > client_version= (3,3), you will face a connection failure (IIS simply
> > closes the network connection--IIS is notorious in failing to put fatal
> > alerts on the wire).
> > 
> > The handshake succeeds (with TLSv1.1) if the client offers at most
> > TLSv1.1,
> > or if the client offers TLSv1.2 in a SSL Version2 CLIENT-HELLO rather than
> > an extensionless TLS ClientHello, if TLSv1.2 is disabled on IIS, or if
> > a server certificate with only sha1WithRsaEncryption ist used.
> 
> To clarify, how does this scenario respond with a TLS 1.2 ClientHello with
> at least one extension? Does it matter what extension(s)? (e.g. does IIS
> have to know what it is?)

The IIS is behaving as the RFC requires it to (with the exception of TLS 
alerts) - according to section 7.4.2 of RFC 5246 - bottom of page 48.

If you send a TLS 1.2 Client Hello, include signature algorithms with (sha1, 
sha256)*(rsa, ecdsa, dsa) it will abort connection if the installed 
certificate has SHA512 signature.
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic