Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

[Andrei Popov <Andrei.Popov@microsoft.com>]

Hi Steffen,

You’re stepping on a sore point for this WG☺. Based on the strict interpretation of the TLS 1.2 RFC, your conclusions are correct.
If a TLS1.2 client does not send the signature algorithms extension (or the extension does not include SHA256), a compliant TLS 1.2 server with a SHA256 certificate has no choice but terminate the handshake.

Unfortunately, in practice there are TLS 1.2 clients that support SHA256, but don’t advertise it via the signature algorithms extension. Some of their implementers will argue that extensions are, by definition, optional functionality. Or that a TLS client may not have insight into its PKI library’s capabilities. Or that a TLS server is has no say in what certificate to use.

Be that as it may, from the server’s perspective, this strict compliance with the RFC reduces interoperability without a clear security gain. A server that favors interoperability over RFC compliance would send its SHA256 cert anyway, and let the client terminate the handshake. This is a change I made (rather reluctantly) in the latest versions of Windows.

Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Fries, Steffen
Sent: Thursday, March 23, 2017 8:37 AM
To: TLS WG <tls@ietf.org>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Hi Erik,

based on your reply my conclusion is that

-          there is no (standard compliant) way for a server to use a SHA256 based certificate for server side authentication in cases where the client does not provide the signature_algorithm extension

-          clients should always use the signature algorithm extension to ensure the server can apply a certificate with the appropriate crypt algorithms

Best regards
Steffen

On Thu, Mar 23, 2017 at 7:39 AM, Viktor Dukhovni <ietf-dane@dukhovni.org<mailto:ietf-dane@dukhovni.org>> wrote:

> On Mar 23, 2017, at 10:31 AM, Fries, Steffen <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>> wrote:
>
> According to  TLS 1.2 section 7.4.1.4.1. a client may use the
> signature_algorithm extension to signal any combinations the
> client supports, listed in the order of preferences.

The signature algorithm is primarily about signatures made as part
of the TLS handshake, and not so much signatures in certificates.

This does not seem consistent with https://tools.ietf.org/rfcmarkup?doc=5246#section-7.4.2

"If the client provided a "signature_algorithms" extension, then all certificates provided by
the server MUST be signed by a hash/signature algorithm pair that appears in that extension."

I appreciate that there are people who feel that this rule is bad, and
to some extent it has been relaxed in 1.3, but I think the text is
pretty clear here.


> If the client does not use this extension, the server must use the
> signature algorithm in combination with SHA1.

For signing the TLS key exchange, however, it should still present
whatever certificate chain it has, even if that chain employs SHA256.
It is exceedingly unlikely these days that a client will not support
SHA256 signatures in the certificate chain.

Yes, that's generally true. Though a TLS 1.2 client which does not offer SHA-256
in its ClientHello but accepts SHA-256 is broken. So, this should generally
only happen with TLS 1.1 and below.



> Unfortunately the server is not allowed to use this extension, otherwise
> he could tell the client his preferences according to his security policy.

The protocol (as it should) lacks the additional round-trips necessary for
the server to initiate signature algorithm negotiation.

I'm not sure quite what the OP Is trying to achieve here. For certificates offered
by the server, the client just tells you what algorithms it will accept for no negotiation
is needed. For certificates offered by the client, the server tells the client
what algorithms it will accept in the CertificateRequest.
https://tools.ietf.org/rfcmarkup?doc=5246#section-7.4.4

-Ekr