Re: [TLS] TLS 1.2 clarification requested
mrex@sap.com (Martin Rex) Tue, 01 October 2013 20:37 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95C4411E8211 for <tls@ietfa.amsl.com>; Tue, 1 Oct 2013 13:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.05
X-Spam-Level:
X-Spam-Status: No, score=-7.05 tagged_above=-999 required=5 tests=[HELO_EQ_DE=0.35, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8yP64OJdLNNE for <tls@ietfa.amsl.com>; Tue, 1 Oct 2013 13:37:42 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 7C22C11E81AD for <tls@ietf.org>; Tue, 1 Oct 2013 13:37:41 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r91Kbcft004380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 1 Oct 2013 22:37:38 +0200 (MEST)
In-Reply-To: <45407AA8FD01AB4EA1D23EFE48EA29B9D57B9217DB@USEA-EXCH7.na.uis.unisys.com>
To: "Kain, Michael T" <Michael.Kain@unisys.com>
Date: Tue, 01 Oct 2013 22:37:38 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131001203738.334971A9CC@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.2 clarification requested
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2013 20:37:52 -0000
Kain, Michael T wrote: > > I'm trying to understand the TLS 1.2 restrictions and signature > algorithms and how they interact. BEWARE! The semantics of the TLS signature algorithms extension as specified in TLSv1.2 (rfc5246): http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 and the specified interaction with the ServerCertificate chain as described in the last paragraph in page 49 http://tools.ietf.org/html/rfc5246#page-49 is fubar'ed (as in the ...beyond recognition sense). I don't know whether implementations of TLSv1.2 actually do/enforce any of that crap, but Murphy's Law says that the implementation that your customer/consumer wants to interop with, does so -- and that will cause of lot of grey hair in the long run. > > Is there a relation between the signature algorithm > that is negotiated between client and server and the algorithm which signed > the server certificate? The description in rfc5246 sections "7.4.1.4.1 Signature Algorithms" and "7.4.2 Server Certificate" require such a relation, but there is some non-zero probability that a TLSv1.2 implementor either did not notice or intentionally ignores this botched part of rfc5246. > > Does that affect the hash algorithm of TLS 1.2 - or is that always SHA256? Beware ! there are two distinct types of default hash algorithms in TLSv1.2: 1. SHA256 for the PRF plus the handshake message hash that goes into the Finished handshake message computation 2. either MD5 or SHA1 **alone** for "digitally_signed struct" as used in the ServerKeyExchange or CertificateVerify handshake messages. (2) is a huge step backwards in security from all prior versions of TLS and even from SSLv3. Essentially, a client that is proposing TLSv1.2 and not including a TLS signature extension, is subjecting itself to a downgrade attack that is worse than a fallback reconnect to SSLv3. The "default" digital signature algorithm is the most ridiculous breakage in TLSv1.2. Had the TLS WG waited for FIPS 186-3 to complete then there could have been SHA-256 everywhere in TLSv1.2, resulting in less complex and faster code, and more secure implementations. > > For example, if I've got a server configured with a server certificate > signed with SHA256, can it still establish a connection using the > TLS_RSA_WITH_AES_256_CBC_SHA? With implementations of SSLv3 through TLSv1.1, this typically just works. rfc5246 would "officially" require both server and client to fatally abort the handshake, unless the client allowed the use of a server certificate with a sha256WithRSAEncryption signature by including a TLS signature extension to that effect in ClientHello -- which is ridiculous. > > Does the signature algorithm for a certificate affect which Ciphersuites can > be negotiated and used? I can not currently think of a situation where the signature algorithm on the server's certificate would matter. It is the public key in the server's certificate (plus the keyUsage attribute) that determines which key exchange algorithms can be used, and that limits the cipher suites from those proposed by the client in ClientHello from which the server can choose. -Martin
- [TLS] TLS 1.2 clarification requested Kain, Michael T
- Re: [TLS] TLS 1.2 clarification requested Yoav Nir
- Re: [TLS] TLS 1.2 clarification requested Martin Rex
- Re: [TLS] TLS 1.2 clarification requested Yoav Nir
- Re: [TLS] TLS 1.2 clarification requested Johannes Merkle
- Re: [TLS] TLS 1.2 clarification requested Yoav Nir