IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

mrex@sap.com (Martin Rex) Wed, 08 July 2015 18:07 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A011A6EE8 for <tls@ietfa.amsl.com>; Wed, 8 Jul 2015 11:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tl1_qKi7Np_h for <tls@ietfa.amsl.com>; Wed, 8 Jul 2015 11:07:49 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9D0F1A6EE6 for <tls@ietf.org>; Wed, 8 Jul 2015 11:07:48 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id A4CC4446FE; Wed, 8 Jul 2015 20:07:47 +0200 (CEST)
X-purgate-ID: 152705::1436378867-00000B48-885CB8CA/0/0
X-purgate-size: 2035
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 95560426F6; Wed, 8 Jul 2015 20:07:47 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 8C9B11A1C7; Wed, 8 Jul 2015 20:07:47 +0200 (CEST)
In-Reply-To: <201507081350.39322.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Date: Wed, 08 Jul 2015 20:07:47 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150708180747.8C9B11A1C7@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/E8yVe-IfB-pvWnbrgiDOByCqKsc>
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 18:07:50 -0000

Dave Garrett wrote:
> Martin Rex wrote:
>> Unfortunately, a non-marginal installed base is exhibiting this self-imposed
>> (mis)behaviour of connection failure: Microsoft SChannel beginning 
>> with Windows 7 / 2008R2 (aka WinNT 6.1), and Windows 8 / 2012 and
>> Windows 8.1 / 2012R2 exhibit the same (mis)behaviour.
>> 
>> When you install a server certificate with a sha256WithRsaEncryption signature
>> on a Microsoft IIS on one of these platforms, enable TLSv1.2 on the server
>> and try to connect with an extension-free ClientHello that offers
>> client_version= (3,3), you will face a connection failure (IIS simply closes
>> the network connection--IIS is notorious in failing to put fatal alerts
>> on the wire).
>> 
>> The handshake succeeds (with TLSv1.1) if the client offers at most TLSv1.1,
>> or if the client offers TLSv1.2 in a SSL Version2 CLIENT-HELLO rather than
>> an extensionless TLS ClientHello, if TLSv1.2 is disabled on IIS, or if
>> a server certificate with only sha1WithRsaEncryption ist used.
> 
> To clarify, how does this scenario respond with a TLS 1.2 ClientHello
> with at least one extension? Does it matter what extension(s)?
> (e.g. does IIS have to know what it is?)


The issue here is the (lack of the) TLSv1.2 signature_algorithms extension.

Windows SChannel appears to treat the absence of this extension
the same as the presence of an extension with (md5,rsa) (sha1,rsa) (sha1,dsa)

If you send the TLSv1.2 signature_algorithms extension with the
algorithm matching the signature of the server certificate,
e.g. (sha256,rsa) in the above example, then a TLSv1.2 handshake will succeed.


Correcting a slight inaccuracy above:  when the server certificate is signed
with sha1WithRsaEncryption, the handshake will succeed with TLSv1.2.

When an SSLv2 ClientHello offering TLSv1.2 is sent, the TLS handshake
will succeed independent of the signature on the IIS server certificate,
but the server will pick only TLSv1.1 rather than TLSv1.2.


-Martin

v2.23.0 | Report a Bug | By Email