Re: [TLS] Server abort because of unrecognised vs rejected client provided parameters
Hubert Kario <hkario@redhat.com> Thu, 27 October 2016 18:30 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173231295C4 for <tls@ietfa.amsl.com>; Thu, 27 Oct 2016 11:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.333
X-Spam-Level:
X-Spam-Status: No, score=-7.333 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpOpFu6pJ8B0 for <tls@ietfa.amsl.com>; Thu, 27 Oct 2016 11:29:58 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59A3C1293FE for <tls@ietf.org>; Thu, 27 Oct 2016 11:29:58 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 55A2D8F253; Thu, 27 Oct 2016 18:23:05 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-115.brq.redhat.com [10.34.0.115]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9RIN4LA016759 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2016 14:23:05 -0400
From: Hubert Kario <hkario@redhat.com>
To: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 27 Oct 2016 20:22:55 +0200
Message-ID: <77772374.d9I1LrzaI5@pintsize.usersys.redhat.com>
User-Agent: KMail/5.3.1 (Linux/4.7.9-200.fc24.x86_64; KDE/5.26.0; x86_64; ; )
In-Reply-To: <20161027174640.akocwtmqcfhkzbvx@roeckx.be>
References: <2807298.nMSlSttlYL@pintsize.usersys.redhat.com> <20161027174640.akocwtmqcfhkzbvx@roeckx.be>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart7740430.XLk2MSyslZ"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 27 Oct 2016 18:23:05 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aeqwH6_YRpFNFe2pIBHzP5ql8co>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Server abort because of unrecognised vs rejected client provided parameters
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 18:30:00 -0000
On Thursday, 27 October 2016 19:46:40 CEST Kurt Roeckx wrote: > On Fri, Oct 21, 2016 at 03:24:35PM +0200, Hubert Kario wrote: > > Currently TLS has two alert descriptions for when there is no intersection > > between ciphers/sigalgs/groups advertises by client and ones that are > > enabled in server. It's the handshake_failure and insufficient_security > > alerts. > > > > While it is a step in good direction in providing users with better > > messages in case of connection failure, I think there is one edge case > > which may ruin the effort. > > > > Let's say we have a client that advertises following signature methods: > > rsa-ssa-sha256 > > rsa-ssa-sha384 > > > > and this client is connecting to server which requires use of > > rsa-ssa-sha512 signatures only, but does implement weaker hashes and the > > requirement is just result of administrator requiring high security. > > > > I think that such connection attempt should end with > > insufficient_security. > > > > Problem is, what if the server does not implement some even never RSA > > signature format, but client does advertise support for them? > > > > I think then the connection should end with handshake_failure. > > So what about the case where the server does implement it, but > it's been disabled? For instance because he wanted to disable MD5 > he only enabled SHA-1 years ago, but then SHA-2 got implemented > and only SHA-1 is enabled. handshake_failure ideally because server recognizes that client hello includes values it implements that are stronger than what it has enabled the main point is to differentiate failures caused by too weak/old clients from regular lack of overlap between server and client implemented parameter set in short, server should never send insufficient_security if all parameters included in client hello are ones that have been defined at the time when server was implemented -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Server abort because of unrecognised vs rej… Hubert Kario
- Re: [TLS] Server abort because of unrecognised vs… Kurt Roeckx
- Re: [TLS] Server abort because of unrecognised vs… Hubert Kario