IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

mrex@sap.com (Martin Rex) Fri, 10 July 2015 14:31 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDF31B2C84 for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 07:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T4DUPajFF4Ce for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 07:31:11 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 375761B2CCB for <tls@ietf.org>; Fri, 10 Jul 2015 07:29:46 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id D924A2ADA0; Fri, 10 Jul 2015 16:29:44 +0200 (CEST)
X-purgate-ID: 152705::1436538584-0000413A-5310A2E5/0/0
X-purgate-size: 2843
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id CAD70402EE; Fri, 10 Jul 2015 16:29:44 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id C077C1A1D5; Fri, 10 Jul 2015 16:29:44 +0200 (CEST)
In-Reply-To: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com>
To: Henrik Grubbström <grubba@gmail.com>
Date: Fri, 10 Jul 2015 16:29:44 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20150710142944.C077C1A1D5@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/W4VuqS4gKpOMRIdoq63udmwAPVU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 14:31:14 -0000

Henrik Grubbström wrote:
>  Martin Rex <mrex@sap.com> wrote:
>> The issue here is the (lack of the) TLSv1.2 signature_algorithms extension.
>>
>> Windows SChannel appears to treat the absence of this extension
>> the same as the presence of an extension with (md5,rsa) (sha1,rsa) (sha1,dsa)
>>
>> If you send the TLSv1.2 signature_algorithms extension with the
>> algorithm matching the signature of the server certificate, e.g.
>> (sha256,rsa) in the above example, then a TLSv1.2 handshake will succeed.
> 
> Sounds like it is complying with the TLS v1.2 RFC. Fix your client.


Nope, _our_ client is perfectly compliant by _not_ sending TLS extensions.
SCHannel is violating a MUST requirement, failing to properly process
a ServerHello without a TLS extension.

https://tools.ietf.org/html/rfc5246#section-7.4.1.2

  7.4.1.2  ClientHello

   extensions
      Clients MAY request extended functionality from servers by sending
      data in the extensions field.  The actual "Extension" format is
      defined in Section 7.4.1.4.


                                      A server MUST accept ClientHello
   messages both with and without the extensions field,


The interpretation of rfc5246 that Microsoft is using to explain the
broken behaviour is in clear conflict with rfc2119 section 6

https://tools.ietf.org/html/rfc2119#section-6

   6. Guidance in the use of these Imperatives

   Imperatives of the type defined in this memo must be used with care
   and sparingly.  In particular, they MUST only be used where it is
   actually required for interoperation or to limit behavior which has
   potential for causing harm (e.g., limiting retransmisssions)  For
   example, they must not be used to try to impose a particular method
   on implementors where the method is not required for
   interoperability.


Requiring a server admin to continue using a sha1WithRsaEncryption
signed certificate and failing the handshake when a sha256WithRsaEncryption
signed certificate is installed, or alternatively requiring the server
admin to disable TLSv1.2 (which happens to be the default in Win7/2008R2)
is a dumb idea and actively causing harm.

So the alleged requirement they're looking at is either not meant
the way they're reading it, or that requirement is simply VOID because
it is clearly incompatible with rfc2119 section 6.


What the implementor did not take into account is the warning sign
on the front of rfc5246, where it says "Proposed Standard",
which is explained by rfc2026:

http://tools.ietf.org/html/rfc2026#section-4.1.1

   Implementors should treat Proposed Standards as immature
   specifications.  It is desirable to implement them in order to gain
   experience and to validate, test, and clarify the specification.


-Martin

v2.23.0 | Report a Bug | By Email