IETF Logo Mail Archive

Re: [TLS] DANE & TLS 1.3 (was Re: Deprecate SHA1 for signatures in TLS 1.3)

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 14 July 2015 05:22 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7E9E1A0125 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 22:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojDkdH03TLWC for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 22:22:30 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC87D1A0122 for <tls@ietf.org>; Mon, 13 Jul 2015 22:22:30 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3BB3F284D74; Tue, 14 Jul 2015 05:22:29 +0000 (UTC)
Date: Tue, 14 Jul 2015 05:22:29 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150714052228.GT28047@mournblade.imrryr.org>
References: <201507111709.27725.davemgarrett@gmail.com> <BLUPR03MB1396A5E9F837D1806D5DDBA68C9C0@BLUPR03MB1396.namprd03.prod.outlook.com> <20150714024710.GR28047@mournblade.imrryr.org> <201507140038.51345.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201507140038.51345.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HsSvub08yuq6p_1jVZXfT2fcK7E>
Subject: Re: [TLS] DANE & TLS 1.3 (was Re: Deprecate SHA1 for signatures in TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 05:22:32 -0000

On Tue, Jul 14, 2015 at 12:38:51AM -0400, Dave Garrett wrote:

> > Furthermore, DANE-EE(3) clients and certificate pinning clients
> > cannot use anon_DH, they still a recognizable certificate from the
> > server, they just often don't need a recognizable signature.  Even
> > DANE-TA(2) clients might be able to stop part-way up the chain
> > before the objectionable signature appears.
> 
> Generic open-ended question: Is there anything else with regard to getting
> DANE working more smoothly that needs addressing?

>From a TLS standards perspective, we're in reasonably good shape.

The main remaining friction point is server software that is
incapable of including self-signed root CAs in the server's wire
certificate chain.

With DANE-TA(2), the trust-anchor certificate MUST be in the
server's certificate message (wire chain) even if it is a
self-signed "root".  So if a site wants to designate a self-signed
DANE trust anchor, it must find a way to include it in server
chains.

This is not a protocol problem as such.  Rather, the fact that the
specification says that server MAY omit root CA certs with a
"traditional" X.509 PKI means that some software stacks provide no
means for the server administrator to force inclusion.

With TLS 1.3, perhaps updated text could reference the imminent
RFC 6698 update (draft-ietf-dane-ops, scheduled for the IESG telechat
on Aug 6th) and mention that a mechanism needs to exist for servers
to request inclusion of root trust anchor certificates (when the
library constructs the chain on the fly by augmenting the application
provided leaf certificate with the requisite intermediate CA certs,
but at present by default leaves out the root CA cert).

In addition, with DANE-EE(3) TLS libraries are expected to accept
end-entity certificates that are expired or bear the wrong server
name, provided the certificate or enclosed public key matches the
TLSA record.  Thus (again not a protocol issue), it would be nice
if TLS libraries did not get in the way of that, but presumably
this gets fixed when the library adds DANE support.

Speaking of DANE support in libraries, there are as yet no mainstream
libraries that offer correct and complete DANE support.  I expect
to remediate this for one or two open source libraries.

Last I looked GnuTLS DANE support was rather incomplete, "ldns"
was insecure and libval was fragile.  Neither OpenSSL nor mTLS (aka
PolarSSL) at present support DANE.

In general don't trust DANE "addons" that are not core parts of
the underlying TLS library, this is very difficult to get right.
DANE support needs to be "baked in" as part of the core chain
construction and validation logic of the TLS library.  The application
can provide the validated TLSA RRset, the TLSA base domain and zero
or more additional reference identifiers (with DANE there can be
multiple valid hostnames for the server end of a client's TLS
connection), and the library should then do the rest.

I'd like to see DANE support in the not too distant future in at
least:

	* OpenSSL
	* mTLS
	* GnuTLS
	* NSS
	* Schannel
	* Java

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email