IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

mrex@sap.com (Martin Rex) Wed, 08 July 2015 17:45 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99AAA1A1BFF for <tls@ietfa.amsl.com>; Wed, 8 Jul 2015 10:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8m7YtgP1SMtR for <tls@ietfa.amsl.com>; Wed, 8 Jul 2015 10:45:55 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9B8D1A1C04 for <tls@ietf.org>; Wed, 8 Jul 2015 10:45:51 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 48BC9446DE for <tls@ietf.org>; Wed, 8 Jul 2015 19:45:49 +0200 (CEST)
X-purgate-ID: 152705::1436377549-00000B48-3AE001A1/0/0
X-purgate-size: 2093
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 3D037426C2 for <tls@ietf.org>; Wed, 8 Jul 2015 19:45:49 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 336B51A1C7; Wed, 8 Jul 2015 19:45:49 +0200 (CEST)
In-Reply-To: <20150707205858.GH21534@mournblade.imrryr.org>
To: tls@ietf.org
Date: Wed, 08 Jul 2015 19:45:49 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150708174549.336B51A1C7@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Z0kDYNco5Bzke3ic-xfYhdyU3ng>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 17:45:57 -0000

Viktor Dukhovni wrote:
> On Tue, Jul 07, 2015 at 10:45:25AM -0700, Eric Rescorla wrote:
>> 
>> So if you can't express SHA1 in signature_algorithms, then the server can't
>> send you a certificate signed with SHA-1.
> 
> This is a very unfamiliar use of the word "can't".  In practice
> most servers will send whatever (fixed) certificate chain they're
> configured with, no matter the content of the signature_algorithm
> extension.  Servers that possess otherwise equivalent chains that
> differ only in the signature algorithm are rather rare beasts AFAIK.
> 
> Which SSL libraries allow server administrators to configure multiple
> chains based on the signature algorithm?


Unfortunately, a non-marginal installed base is exhibiting this self-imposed
(mis)behaviour of connection failure: Microsoft SChannel beginning 
with Windows 7 / 2008R2 (aka WinNT 6.1), and Windows 8 / 2012 and
Windows 8.1 / 2012R2 exhibit the same (mis)behaviour.

When you install a server certificate with a sha256WithRsaEncryption signature
on a Microsoft IIS on one of these platforms, enable TLSv1.2 on the server
and try to connect with an extension-free ClientHello that offers
client_version= (3,3), you will face a connection failure (IIS simply closes
the network connection--IIS is notorious in failing to put fatal alerts
on the wire).

The handshake succeeds (with TLSv1.1) if the client offers at most TLSv1.1,
or if the client offers TLSv1.2 in a SSL Version2 CLIENT-HELLO rather than
an extensionless TLS ClientHello, if TLSv1.2 is disabled on IIS, or if
a server certificate with only sha1WithRsaEncryption ist used.


> 
> My impression is that chain selection based on the extension is
> largely wishful thinking.


To me, it looks more like a lack of thinking on part of the spec writers
and the implementors.  Just how dumb the idea is should become obvious
if you compare the handshake result for TLSv1.1 and for TLSv1.2.
Essentially, this is a TLS protocol version intolerance created by 
the TLSv1.2 protocol specification itself.


-Martin

v2.23.0 | Report a Bug | By Email