IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Watson Ladd <watsonbladd@gmail.com> Fri, 10 July 2015 14:44 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF8A31B2C94 for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 07:44:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JBBBFKccpjJk for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 07:44:37 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 845B81B2C8F for <tls@ietf.org>; Fri, 10 Jul 2015 07:44:36 -0700 (PDT)
Received: by wiga1 with SMTP id a1so17406479wig.0 for <tls@ietf.org>; Fri, 10 Jul 2015 07:44:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ap8zeSUHgrLo8UToEByVWunb4iNSj4tmFMwUfQgdYDY=; b=X9mxqQVPH7JwB9OzazUN5kDH4/Dxm+yWKqOia/O0h9OMpON87WtaPpVALUNGJrbXv/ 1NrWWU3wuj+GtHVvNktb8myWR539YDhE3WGrAApgmSRdcJzgasNdj509YKXKMvRH7wej TDMkbX/lgTHqC+2UKSQgbcGyF3l5bBpKRtXVQEOj41BowL/IUJkf5tiRCHWMbbH7327y ird325IGgM3RoHpUxD3E41R/460oI3f40DD/91yx2ZM0y57v33VGBz412HRdNdIkLW8e Js7Eq1aGZAsK2S2Ix8D+ceRZ1ZbSLWhlWxcZYwoQg0We9yJLMlvKPAvYOfKvN3dG2buW ahlA==
MIME-Version: 1.0
X-Received: by 10.194.20.161 with SMTP id o1mr43664937wje.32.1436539475329; Fri, 10 Jul 2015 07:44:35 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Fri, 10 Jul 2015 07:44:35 -0700 (PDT)
In-Reply-To: <20150710142944.C077C1A1D5@ld9781.wdf.sap.corp>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <20150710142944.C077C1A1D5@ld9781.wdf.sap.corp>
Date: Fri, 10 Jul 2015 07:44:35 -0700
Message-ID: <CACsn0c=W8c5KjHtVEpHeBVy-ifJxTKoN1+WXP0EZ8fJqqd3yxA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PGgtjK7sKfUMtXdKwz3hcwN05uA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 14:44:39 -0000

On Fri, Jul 10, 2015 at 7:29 AM, Martin Rex <mrex@sap.com> wrote:
> Henrik Grubbström wrote:
>>  Martin Rex <mrex@sap.com> wrote:
>>> The issue here is the (lack of the) TLSv1.2 signature_algorithms extension.
>>>
>>> Windows SChannel appears to treat the absence of this extension
>>> the same as the presence of an extension with (md5,rsa) (sha1,rsa) (sha1,dsa)
>>>
>>> If you send the TLSv1.2 signature_algorithms extension with the
>>> algorithm matching the signature of the server certificate, e.g.
>>> (sha256,rsa) in the above example, then a TLSv1.2 handshake will succeed.
>>
>> Sounds like it is complying with the TLS v1.2 RFC. Fix your client.
>
>
> Nope, _our_ client is perfectly compliant by _not_ sending TLS extensions.
> SCHannel is violating a MUST requirement, failing to properly process
> a ServerHello without a TLS extension.

Specific overrules general.

>
> https://tools.ietf.org/html/rfc5246#section-7.4.1.2
>
>   7.4.1.2  ClientHello
>
>    extensions
>       Clients MAY request extended functionality from servers by sending
>       data in the extensions field.  The actual "Extension" format is
>       defined in Section 7.4.1.4.
>
>
>                                       A server MUST accept ClientHello
>    messages both with and without the extensions field,
>
>
> The interpretation of rfc5246 that Microsoft is using to explain the
> broken behaviour is in clear conflict with rfc2119 section 6

This interpretation is so obviously wrong. ECDHE support requires
sending extensions. A server configured to only support ECDHE
ciphersuites will fail any handshake that doesn't contain the
necessary extensions. You cannot expect psychic servers to negotiate
unadvertised features.

Why can't you advertise support for the signatures you in fact
support, if you want to advertise support?

>
> https://tools.ietf.org/html/rfc2119#section-6
>
>    6. Guidance in the use of these Imperatives
>
>    Imperatives of the type defined in this memo must be used with care
>    and sparingly.  In particular, they MUST only be used where it is
>    actually required for interoperation or to limit behavior which has
>    potential for causing harm (e.g., limiting retransmisssions)  For
>    example, they must not be used to try to impose a particular method
>    on implementors where the method is not required for
>    interoperability.
>
>
> Requiring a server admin to continue using a sha1WithRsaEncryption
> signed certificate and failing the handshake when a sha256WithRsaEncryption
> signed certificate is installed, or alternatively requiring the server
> admin to disable TLSv1.2 (which happens to be the default in Win7/2008R2)
> is a dumb idea and actively causing harm.

If clients don't support sha256WithRsaEncryption, they won't work with
that server. The problem is clients failing to advertise features,
then their authors complaining about lack of psychic abilities on the
behalf of servers.

>
> So the alleged requirement they're looking at is either not meant
> the way they're reading it, or that requirement is simply VOID because
> it is clearly incompatible with rfc2119 section 6.
>
>
> What the implementor did not take into account is the warning sign
> on the front of rfc5246, where it says "Proposed Standard",
> which is explained by rfc2026:
>
> http://tools.ietf.org/html/rfc2026#section-4.1.1
>
>    Implementors should treat Proposed Standards as immature
>    specifications.  It is desirable to implement them in order to gain
>    experience and to validate, test, and clarify the specification.
>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email