Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

[Andrei Popov <Andrei.Popov@microsoft.com>]

For context: on multiple threads, Martin has repeatedly brought up the fact that schannel complies with section 7.4.1.4.1 "Signature Algorithms" of RFC 5246, which says:

"   If the client does not send the signature_algorithms extension, the
   server MUST do the following:

   -  If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
      DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
      sent the value {sha1,rsa}.

   -  If the negotiated key exchange algorithm is one of (DHE_DSS,
      DH_DSS), behave as if the client had sent the value {sha1,dsa}.

   -  If the negotiated key exchange algorithm is one of (ECDH_ECDSA,
      ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}."

This means that e.g. if IIS only has a SHA256 cert, and the client offers TLS1.2 and no signature_algorithms extension, IIS will indeed fail the handshake.

It is possible that we might improve the product by not complying with section 7.4.1.4.1 of RFC 5246 in a future release, but currently schannel does comply.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
Sent: Wednesday, July 8, 2015 11:08 AM
To: Dave Garrett
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Dave Garrett wrote:
> Martin Rex wrote:
>> Unfortunately, a non-marginal installed base is exhibiting this 
>> self-imposed (mis)behaviour of connection failure: Microsoft SChannel 
>> beginning with Windows 7 / 2008R2 (aka WinNT 6.1), and Windows 8 / 
>> 2012 and Windows 8.1 / 2012R2 exhibit the same (mis)behaviour.
>> 
>> When you install a server certificate with a sha256WithRsaEncryption 
>> signature on a Microsoft IIS on one of these platforms, enable 
>> TLSv1.2 on the server and try to connect with an extension-free 
>> ClientHello that offers client_version= (3,3), you will face a 
>> connection failure (IIS simply closes the network connection--IIS is 
>> notorious in failing to put fatal alerts on the wire).
>> 
>> The handshake succeeds (with TLSv1.1) if the client offers at most 
>> TLSv1.1, or if the client offers TLSv1.2 in a SSL Version2 
>> CLIENT-HELLO rather than an extensionless TLS ClientHello, if TLSv1.2 
>> is disabled on IIS, or if a server certificate with only sha1WithRsaEncryption ist used.
> 
> To clarify, how does this scenario respond with a TLS 1.2 ClientHello 
> with at least one extension? Does it matter what extension(s)?
> (e.g. does IIS have to know what it is?)


The issue here is the (lack of the) TLSv1.2 signature_algorithms extension.

Windows SChannel appears to treat the absence of this extension the same as the presence of an extension with (md5,rsa) (sha1,rsa) (sha1,dsa)

If you send the TLSv1.2 signature_algorithms extension with the algorithm matching the signature of the server certificate, e.g. (sha256,rsa) in the above example, then a TLSv1.2 handshake will succeed.


Correcting a slight inaccuracy above:  when the server certificate is signed with sha1WithRsaEncryption, the handshake will succeed with TLSv1.2.

When an SSLv2 ClientHello offering TLSv1.2 is sent, the TLS handshake will succeed independent of the signature on the IIS server certificate, but the server will pick only TLSv1.1 rather than TLSv1.2.


-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls