IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

mrex@sap.com (Martin Rex) Fri, 24 March 2017 15:18 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5D89129BAB for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 08:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id voL9I9ULILHq for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 08:18:26 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553A0131539 for <tls@ietf.org>; Fri, 24 Mar 2017 08:18:21 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3vqRrX2kW9z26Vl for <tls@ietf.org>; Fri, 24 Mar 2017 16:18:20 +0100 (CET)
X-purgate-ID: 152705::1490368700-00003836-2824FF36/0/0
X-purgate-size: 2735
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3vqRrX0twhzGpB0 for <tls@ietf.org>; Fri, 24 Mar 2017 16:18:20 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 135531A65C; Fri, 24 Mar 2017 16:18:20 +0100 (CET)
In-Reply-To: <52C6D0EF-D6AC-484A-9096-BDAE5C870F82@dukhovni.org>
To: TLS WG <tls@ietf.org>
Date: Fri, 24 Mar 2017 16:18:20 +0100
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170324151820.135531A65C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fDYC6IRgir5jy8nx6vSa1PryYKA>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 15:18:29 -0000

Viktor Dukhovni wrote:
> 
> The net effect is that in practice you simply ignore the signature
> algorithms when it comes to the certificate chain.

Essentially correct.  This is the only reasonable, highly backwards
compatible and perfectly secure choice.

>
> I've never seen a TLS server that has multiple chains to choose from
> for the same server identity.  This applies also to TLS 1.2, despite
> RFC 5246.

Servers with multiple chains for the same server identity have been
around for a while, and their number might be higher than you expect.

More often they choose cert by offered cipher suites (RSA vs. ECDSA),
rather than by signature_algorithms.

I have recently encountered three public CAs that issue such dual-certs,
two of them either thought about potential consequences (or got it right
by chance): VeriSign and DigiCert.

* The RSA and ECDSA dual server certs from VeriSign were issued under the same
(RSA) RootCA cert "VeriSign PCA3 - G5",

* The RSA and ECDSA dual server certs from DigiCert were issued under the same
(RSA) RootCA cert "DigiCert High Assurance EV Root CA"

However, the RSA and ECDSA dual server certs from Comodo were issued
under _distinct_ RootCAs.  I don't know whether Comodo or the purchaser
of the dual server certs goofed this, but unless you negligently dump an
overbroad "blindly trust everyone" into your client-software in a web-browser
fashion (which gives _everyone_ the creeps, see Certificate Transparency
and HPKP bandaids), those Comodo-issued RSA+ECDSA dual server certs
from distinct PKIs are a severe interop nightmare.

If you want to roll out support for ECDSA cipher suites into an installed
base of TLS that is currently limited to RSA, dual certs from distinct
PKIs may result in servers unexpectedly picking and responding with
an untrusted server cert in existing usage scenarios,
after a software update of the TLS client (which adds support for ECDSA
cipher suites).


Two Cloudflare (CDN) examples for dual cert servers:

  Comodo:    https://regmedia.co.uk/

  DigiCert:  https://www.cloudflare.com/

Actually, the latter seems to be a triple-cert server (try -sigalgs RSA+SHA1)



Things could be so much easier if folks would spend a little more
time thinking about backwards compatibility, i.e. what is necessary
so that a new feature can be rolled out into an installed base of
TLS client and servers, without causing interop failures for existing
usage scenarios.

TLSv1.3 has a few problems. Including the pointless hiding of ContentInfo
in the outer TLS record, which is non-interoperable with some of the
installed base and precludes efficient end-of-communication discovery.


-Martin

v2.23.0 | Report a Bug | By Email