IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-deprecate-08.txt

Sean Turner <sean@sn3rd.com> Fri, 10 September 2021 01:18 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4C573A0C7F for <tls@ietfa.amsl.com>; Thu, 9 Sep 2021 18:18:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHB3a0IBBuoS for <tls@ietfa.amsl.com>; Thu, 9 Sep 2021 18:18:43 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B240F3A0C7E for <tls@ietf.org>; Thu, 9 Sep 2021 18:18:43 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id s16so305119qvt.13 for <tls@ietf.org>; Thu, 09 Sep 2021 18:18:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=260mMwyCCHI7Mjr9Op6paE10doYN9JzNy1Q+ohhdJOs=; b=exag+60fDuvC8fLqb2eNB+TrXqVWtfjDmD6Kxm16e/5elM/4PTLHX83RXUAF8WNiCq D521jx/YD5tcp50HcNga3ZEbk5hOqAu4bFzzxRmr1fuvWmH92FTo9VWFM7Jst3sNJWFC Mn4dJa252hkdOj+aXA3LMXjwudjnwJPyqdmYE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=260mMwyCCHI7Mjr9Op6paE10doYN9JzNy1Q+ohhdJOs=; b=LAXqrk1hPELfSBtb5XD9J9qAw93sm/K0xzeeQeVlW+Uao7it7TrmvhSJjQ87IUfiYz bbLr7DE2YNWliub/l/oJtde9lupWvBy0vNkAa5I70BZZ6kHal90fyi45pNpgCbtC9hHW H2xfl5Pxa5JagzT8+nGD42N/SHHl/fmDzH+pL/t57pdFGd8AkjZgEfsGYZoBI2bhJkV9 nLj8MIao212jWsBEwtqU8afGlMzTUTw9wFjvHD8TMNfWmsj8sMwJZc8mLNQdJWTyp3A9 wfxyjqHttw+f6kkL/3ZJiK4W4dygVZjWC9D+NqRzmVgCGuZnxLrfSmVkIXoO2q5ARmqv NrWA==
X-Gm-Message-State: AOAM532F8kEHutAiy0zVGCb2ZmEwwJff3dARyJqfwCxgDoD1BuCfxZ+X ohU9XUJ1XcWcTyqUC4dDX65gat5gdjJYrw==
X-Google-Smtp-Source: ABdhPJztGjwvv4LxplihMvKsfb954bAjWPF84sGnlI99ZrowBcMf12wn3rzBvrOMdhoJrkBhcx9hng==
X-Received: by 2002:a0c:fa06:: with SMTP id q6mr6084281qvn.50.1631236721370; Thu, 09 Sep 2021 18:18:41 -0700 (PDT)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id c28sm2641160qkl.69.2021.09.09.18.18.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Sep 2021 18:18:40 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAF8qwaDgeKcLBk0GMg3JZboehF4PrE=1XRT0fPq8CQ2S_1AsBw@mail.gmail.com>
Date: Thu, 09 Sep 2021 21:18:39 -0400
Cc: Hubert Kario <hkario@redhat.com>, TLS List <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1CAAA696-01D6-4428-8A83-DD2BADBE4BF5@sn3rd.com>
References: <163068481195.6396.4015668882511523788@ietfa.amsl.com> <6f0942ee-e946-48fb-96db-1fe35d2c1d46@redhat.com> <CAF8qwaBQdw5m7BAqaVL7hw9_1gDrw8=6uZSZfJ2BmzaOBpyY9g@mail.gmail.com> <25F5F4EE-7777-4C7C-8218-938392A59A5E@sn3rd.com> <CAF8qwaDgeKcLBk0GMg3JZboehF4PrE=1XRT0fPq8CQ2S_1AsBw@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iuWf2YutaQUn2HLOCRQgL2cXakw>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-deprecate-08.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2021 01:18:49 -0000


> On Sep 9, 2021, at 15:40, David Benjamin <davidben@chromium.org> wrote:
> 
> On Thu, Sep 9, 2021 at 2:12 PM Sean Turner <sean@sn3rd.com> wrote:
> 
> > On Sep 4, 2021, at 17:45, David Benjamin <davidben@chromium.org> wrote:
> > 
> > On Fri, Sep 3, 2021 at 1:24 PM Hubert Kario <hkario@redhat.com> wrote:
> > On Friday, 3 September 2021 18:00:12 CEST, internet-drafts@ietf.org wrote:
> > > A New Internet-Draft is available from the on-line 
> > > Internet-Drafts directories.
> > > This draft is a work item of the Transport Layer Security WG of the IETF.
> > >
> > >         Title           : Deprecating MD5 and SHA-1 signature 
> > > hashes in (D)TLS 1.2
> > >         Authors         : Loganaden Velvindron
> > >                           Kathleen Moriarty
> > >                           Alessandro Ghedini
> > >       Filename        : draft-ietf-tls-md5-sha1-deprecate-08.txt
> > >       Pages           : 6
> > >       Date            : 2021-09-03
> > >
> > > Abstract:
> > >    The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to
> > >    attack and this document deprecates their use in TLS 1.2 digital
> > >    signatures.  However, this document does not deprecate SHA-1 in HMAC
> > >    for record protection.  This document updates RFC 5246.
> > >
> > >
> > > The IETF datatracker status page for this draft is:
> > > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/
> > >
> > > There is also an htmlized version available at:
> > > https://datatracker.ietf.org/doc/html/draft-ietf-tls-md5-sha1-deprecate-08
> > 
> > >   Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest
> > >   messages.
> > 
> > >    Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages.
> > >   If a server receives a CertificateVerify message with MD5 or SHA-1 it
> > >   MUST abort the connection with handshake_failure or
> > >   insufficient_security alert.
> > 
> > As written, this would make already existing implementations not RFC 
> > compliant
> > when they are configured to not support SHA-1.
> > 
> > RFC5246 requires the server to abort with illegal_parameter if the
> > CV included an algorithm that wasn't advertised in CR.
> > 
> > Ah, good catch. There's also some odd asymmetry here. Section 4 talks about a server being unable to *send* a ServerKeyExchange (and uses the correct alerts). It says nothing about the client *receiving* an invalid (by ClientHello) ServerKeyExchange which is, as in the case you describe, an illegal_parameter. Meanwhile, Section 5 talks about the server *receiving* an invalid (by CertificateRequest) CertificateVerify, and with the wrong alerts. It says nothing about the client being unable to *send* a CertificateVerify.
> > 
> > I don't feel very strongly about whether we talk about sending, receiving, or both, for each of these messages. But we should be consistent and use the right alerts. (Or we could just talk about preferences and let the message behavior fall out of that.)
> 
> I think what might solve this is the following (I just included all of the text with 2119-language because there isn’t much of it):
> 
> 2.  Signature Algorithms
> 
>    Clients MUST include the signature_algorithms extension.  Clients
>    MUST NOT include MD5 and SHA-1 in this extension.
> 
> 3.  Certificate Request
> 
>    Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest
>    messages.
> 
> 4.  Server Key Exchange
> 
>    Servers MUST NOT include MD5 and SHA-1 in ServerKeyExchange messages.
>    If the client receives a ServerKeyExchange message indicating MD5 or
>    SHA-1, then it MUST abort the connection with an illegal_parameter
>    alert.
> 
> 5.  Certificate Verify
> 
>    Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages.
>    If a server receives a CertificateVerify message with MD5 or SHA-1, then
>    it MUST abort the connection with illegal_parameter alert.
> 
> LGTM with one comment. (Sorry, for all the last-minute comments! I didn't notice this in my last email. :-( ) It is a little odd that servers advertising MD5/SHA1 in CertificateRequest is merely a SHOULD NOT, but rejecting them in CertificateVerify is a MUST NOT. Though that's also present in the existing text. I forget how we ended up here. Was it to allow for SHA-1 in the Certificate message?
> 
> ...I wonder if that's why we ended up with the funny alerts. Because if the server declines to do the SHOULD NOT, the client isn't doing anything wrong, protocol-wise, by taking the server up on its offer of SHA-1.
> 
> If we want to keep it very simple, we could upgrade section 3 to MUST NOT and avoid this problem, but I don't know if there was some reason for the asymmetric expectations here. We could also condition the server rule in section 5 on having taken the SHOULD NOT in section 3. (Prior to TLS 1.3, there is no way to say "SHA-1 is okay in Certificate, but not okay in CertificateVerify/ServerKeyExchange".)
> 
> David 

A lot of this was born out of the deprecate TLS 1/1.1 RFC that spun this I-D off. I believe this is the thread back in mid-2019:
https://mailarchive.ietf.org/arch/msg/tls/qTlDYpSlSe6Mf2zDV_iqOXO-6xo/

spt

v2.23.0 | Report a Bug | By Email