IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

mrex@sap.com (Martin Rex) Fri, 10 July 2015 16:17 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 022021B2CEA for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 09:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cPn1Jq-FhFy for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 09:17:07 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25E991B2CE8 for <tls@ietf.org>; Fri, 10 Jul 2015 09:17:07 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id D551C2A810; Fri, 10 Jul 2015 18:17:05 +0200 (CEST)
X-purgate-ID: 152705::1436545025-0000413A-77FCFC7D/0/0
X-purgate-size: 2024
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id C5D234041A; Fri, 10 Jul 2015 18:17:05 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id BD6C71A1D5; Fri, 10 Jul 2015 18:17:05 +0200 (CEST)
In-Reply-To: <201507101137.44703.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Date: Fri, 10 Jul 2015 18:17:05 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150710161705.BD6C71A1D5@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NnAYl4PtODBkhH6LbX31uVe5ZTE>
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 16:17:09 -0000

Dave Garrett wrote:
> On Friday, July 10, 2015 11:05:15 am Viktor Dukhovni wrote:
>>
>> Yes, when possible servers should provide a chain that is more
>> likely to be understood by the client.  But refusing to provide
>> the chain they have, just because the client did not disclose every
>> signature algorithm it supports (or simply did not send any) is a
>> mistake in the implementation and likely a design error in the
>> specification.
> 
> https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
> 
> The only instance a TLS 1.2 client is allowed to omit the extension
> is when it only support the defaults. If it doesn't support the default
> or supports something else (or both) then it MUST send the extension.

This is the result of an incorrect reading of rfc5246.

If the TLSv1.2 client uses the *PERMITTED* option in
section 7.4.1.2 ClientHello:

   extensions
      Clients MAY request extended functionality from servers by sending
      data in the extensions field.  The actual "Extension" format is
      defined in Section 7.4.1.4.

Then the entire Section 7.4.1.4 HelloExtensions and all of its SubSections
are completely irrelevant to that client.


There is no (valid) prohibition of TLSv1.0 and TLSv1.1 clients and servers
to use server certificate that is signed by sha256WithRsaEncryption, and
as you can test yourself, Microsoft SChannel will properly handshake
with these protocol versions and a server certificate that has a
(sha256,rsa) signature.  The only situation where Microsoft SChannel
crashes and burns is when an extension-less ClientHello arrives with
ClientHello.client_version = (3,3).


Was TLSv1.2 really meant to be backwards-incompatible to TLSv1.0 and TLSv1.1
and create new problems for the migration from sha1-signed server certs
to sha256-signed server certificates, considering that sha1-signed certs
had already been officially been deprecated (e.g. by NIST) more than a
year before TLSv1.2 (rfc5246) was published.


-Martin

v2.23.0 | Report a Bug | By Email