Re: [TLS] TLS 1.2 clarification requested (Martin Rex) Tue, 01 October 2013 20:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 95C4411E8211 for <>; Tue, 1 Oct 2013 13:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.05
X-Spam-Status: No, score=-7.05 tagged_above=-999 required=5 tests=[HELO_EQ_DE=0.35, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8yP64OJdLNNE for <>; Tue, 1 Oct 2013 13:37:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7C22C11E81AD for <>; Tue, 1 Oct 2013 13:37:41 -0700 (PDT)
Received: from by (26) with ESMTP id r91Kbcft004380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 1 Oct 2013 22:37:38 +0200 (MEST)
In-Reply-To: <>
To: "Kain, Michael T" <>
Date: Tue, 1 Oct 2013 22:37:38 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
From: (Martin Rex)
X-SAP: out
Cc: "''" <>
Subject: Re: [TLS] TLS 1.2 clarification requested
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Oct 2013 20:37:52 -0000

Kain, Michael T wrote:
> I'm trying to understand the TLS 1.2 restrictions and signature
> algorithms and how they interact.


The semantics of the TLS signature algorithms extension as specified
in TLSv1.2 (rfc5246):

and the specified interaction with the ServerCertificate chain as 
described in the last paragraph in page 49

is fubar'ed (as in the ...beyond recognition sense).

I don't know whether implementations of TLSv1.2 actually do/enforce any
of that crap, but Murphy's Law says that the implementation that your
customer/consumer wants to interop with, does so -- and that will
cause of lot of grey hair in the long run.

> Is there a relation between the signature algorithm
> that is negotiated between client and server and the algorithm which signed
> the server certificate?

The description in rfc5246 sections " Signature Algorithms"
and "7.4.2 Server Certificate" require such a relation, but there is
some non-zero probability that a TLSv1.2 implementor either did not
notice or intentionally ignores this botched part of rfc5246.

> Does that affect the hash algorithm of TLS 1.2 - or is that always SHA256?

Beware !  there are two distinct types of default hash algorithms
in TLSv1.2:

   1.  SHA256  for the PRF plus the handshake message hash that goes
       into the Finished handshake message computation

   2.  either MD5 or SHA1 **alone** for "digitally_signed struct"
       as used in the ServerKeyExchange or CertificateVerify
       handshake messages.

(2) is a huge step backwards in security from all prior versions of
TLS and even from SSLv3.  Essentially, a client that is proposing TLSv1.2
and not including a TLS signature extension, is subjecting itself
to a downgrade attack that is worse than a fallback reconnect to SSLv3.

The "default" digital signature algorithm is the most ridiculous
breakage in TLSv1.2.  Had the TLS WG waited for FIPS 186-3 to complete
then there could have been SHA-256 everywhere in TLSv1.2, resulting
in less complex and faster code, and more secure implementations.

> For example, if I've got a server configured with a server certificate
> signed with SHA256, can it still establish a connection using the

With implementations of SSLv3 through TLSv1.1, this typically just works.

rfc5246 would "officially" require both server and client to fatally
abort the handshake, unless the client allowed the use of a server
certificate with a sha256WithRSAEncryption signature by including a TLS
signature extension to that effect in ClientHello -- which is ridiculous.

> Does the signature algorithm for a certificate affect which Ciphersuites can
> be negotiated and used?

I can not currently think of a situation where the signature algorithm
on the server's certificate would matter.

It is the public key in the server's certificate (plus the keyUsage attribute)
that determines which key exchange algorithms can be used, and that limits
the cipher suites from those proposed by the client in ClientHello
from which the server can choose.