IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 23 March 2017 17:11 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF7D129AF9 for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 10:11:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDIGjb2HaNUf for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 10:11:11 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0130.outbound.protection.outlook.com [104.47.40.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60C8712987B for <tls@ietf.org>; Thu, 23 Mar 2017 10:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=J+vDu5T7thc+p8o/iFKo7izkXFIx4rL8M4oEUd0yQ94=; b=NJ4nxEz7RnZjLIjd3ZeSohmeJLPTzf6y61a8+p1UuIrgRQ4lofJEWH3cdoF9sLUsRDbUDSvgS0FD/kp4BWnhVp1wBfAHMFYTC1mdGjHlTBwOxAnSlcjqWQhWeGSk5mFDNXaZQELFoDbsIZw+hoM26M1z/b6XW8FoGYgtlJvbS9A=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0089.namprd21.prod.outlook.com (10.161.141.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.2; Thu, 23 Mar 2017 17:11:04 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) by DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) with mapi id 15.01.1005.002; Thu, 23 Mar 2017 17:11:04 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, "Fries, Steffen" <steffen.fries@siemens.com>
CC: TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
Thread-Index: AdKj4jdTMGBzllsXQzCZ8vwWateOaAAAQFKAAAGKvAAAAHthAAAC0feAAAAReFA=
Date: Thu, 23 Mar 2017 17:11:04 +0000
Message-ID: <DM2PR21MB009190C73B515AFF6F1BF52C8C3F0@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net> <4DD1F233-D659-4F79-9ADA-BC31A49DA653@dukhovni.org> <CABcZeBNu_9EHKWFzWFvtcUZ5GA5SQ8DbjHqEvn4yjBLH6=yuXg@mail.gmail.com> <E6C9F0E527F94F4692731382340B337846DE14@DENBGAT9EH2MSX.ww902.siemens.net> <CABcZeBPfHWJDPWqtb9HcOi1714NF_xhQtLD1MwybAawgm_Xx5g@mail.gmail.com>
In-Reply-To: <CABcZeBPfHWJDPWqtb9HcOi1714NF_xhQtLD1MwybAawgm_Xx5g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:a::1d2]
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0089; 7:HJEOBaoeai9BLoB9nB00Sync8SMZ0TBgfrg7kD05OcXg2yOBHVRWn29A5SiiOB7nbRy+I1nSJgWtz+G5+QgMWUs5fGXruJNCPLYwk1sOzslw+d3psKTVn9YfAO4IH9+pWvVtr1Wxd1wh+YFYlBXTcOgJKi5Rb7xUtHKp/UP2t2AwB7NoabJs/VlRNtEKzez4EJEKjYA9w6VIU58eHGNEk/XxtFkUUme1GFEiKaxx08UpT5up4c3oCfs5lLNmmMU60aCBcPfbshGzd9nFwN3ZPnyQgRju8sWau3Ph3kRWpLiaE3kvxZkHsUZwxXldq5JkArEg1Q0ij7wr/j3hO7pK37xSWh8YIpW7HF6x64Sl0+Y=
x-ms-office365-filtering-correlation-id: 107ad1a6-4740-4777-30ea-08d4720f96de
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:DM2PR21MB0089;
x-microsoft-antispam-prvs: <DM2PR21MB0089F96E2A61C29B0AD6EC278C3F0@DM2PR21MB0089.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(126837547833334)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040386)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006021)(93001021)(6055026)(61426038)(61427038)(6041248)(20161123562025)(201703131423011)(201702281528011)(201703061421011)(201703061406011)(20161123560025)(20161123558025)(20161123555025)(20161123564025)(6072148); SRVR:DM2PR21MB0089; BCL:0; PCL:0; RULEID:; SRVR:DM2PR21MB0089;
x-forefront-prvs: 0255DF69B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39840400002)(39860400002)(39850400002)(39400400002)(39450400003)(377454003)(15404003)(24454002)(38730400002)(55016002)(7736002)(2950100002)(6246003)(102836003)(99286003)(54896002)(6306002)(33656002)(6116002)(790700001)(5005710100001)(25786009)(10290500002)(3280700002)(3660700001)(4326008)(2906002)(2900100001)(10090500001)(53546009)(93886004)(8936002)(8676002)(189998001)(81166006)(86612001)(74316002)(229853002)(122556002)(76176999)(7696004)(77096006)(6436002)(54356999)(606005)(9686003)(50986999)(53936002)(236005)(5660300001)(7906003)(6506006)(86362001)(34023003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0089; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR21MB009190C73B515AFF6F1BF52C8C3F0DM2PR21MB0091namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2017 17:11:04.6364 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0089
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r60sJc-RjZU69XPa5OH0Ku38Vsg>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 17:11:14 -0000

Ø  Note that any client which in fact supports

Ø  SHA-256 with TLS 1.2 but doesn't send signature_algorithms containing it,

Ø  is noncomformant. It's not clear to me how many such clients in fact exist.

We saw enough TLS 1.2 clients that are non-compliant in this way that I made the server-side change to accommodate them.
Obviously, Martin Rex’s code is one example.
I’ve also seen a number of embedded/IoT-oriented TLS stacks that had this defect initially, when they first implemented TLS 1.2, although they were quick to fix.
Some of our customers in East Asia reported that the TLS stacks they used had this defect; when pointed at the RFC, they took the issue to the corresponding SW vendor(s).
Overall, a small percentage, but it generated enough support calls that the server change was worthwhile.

Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: Thursday, March 23, 2017 9:58 AM
To: Fries, Steffen <steffen.fries@siemens.com>
Cc: TLS WG <tls@ietf.org>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2



On Thu, Mar 23, 2017 at 8:37 AM, Fries, Steffen <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>> wrote:
Hi Erik,

based on your reply my conclusion is that

-          there is no (standard compliant) way for a server to use a SHA256 based certificate for server side authentication in cases where the client does not provide the signature_algorithm extension
Not quite. If the client offers TLS 1.1 or below, then you simply don't know if it
will accept SHA-256 and you should send whatever you have. If the client offers
TLS 1.2 and no signature_algorithm extension, then you technically are forbidden
from sending it a SHA-256 certificate. Note that any client which in fact supports
SHA-256 with TLS 1.2 but doesn't send signature_algorithms containing it,
is noncomformant. It's not clear to me how many such clients in fact exist.


-          clients should always use the signature algorithm extension to ensure the server can apply a certificate with the appropriate crypt algorithms
Yes.

-Ekr



Best regards
Steffen

On Thu, Mar 23, 2017 at 7:39 AM, Viktor Dukhovni <ietf-dane@dukhovni.org<mailto:ietf-dane@dukhovni.org>> wrote:

> On Mar 23, 2017, at 10:31 AM, Fries, Steffen <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>> wrote:
>
> According to  TLS 1.2 section 7.4.1.4.1. a client may use the
> signature_algorithm extension to signal any combinations the
> client supports, listed in the order of preferences.

The signature algorithm is primarily about signatures made as part
of the TLS handshake, and not so much signatures in certificates.

This does not seem consistent with https://tools.ietf.org/rfcmarkup?doc=5246#section-7.4.2

"If the client provided a "signature_algorithms" extension, then all certificates provided by
the server MUST be signed by a hash/signature algorithm pair that appears in that extension."

I appreciate that there are people who feel that this rule is bad, and
to some extent it has been relaxed in 1.3, but I think the text is
pretty clear here.


> If the client does not use this extension, the server must use the
> signature algorithm in combination with SHA1.

For signing the TLS key exchange, however, it should still present
whatever certificate chain it has, even if that chain employs SHA256.
It is exceedingly unlikely these days that a client will not support
SHA256 signatures in the certificate chain.

Yes, that's generally true. Though a TLS 1.2 client which does not offer SHA-256
in its ClientHello but accepts SHA-256 is broken. So, this should generally
only happen with TLS 1.1 and below.



> Unfortunately the server is not allowed to use this extension, otherwise
> he could tell the client his preferences according to his security policy.

The protocol (as it should) lacks the additional round-trips necessary for
the server to initiate signature algorithm negotiation.

I'm not sure quite what the OP Is trying to achieve here. For certificates offered
by the server, the client just tells you what algorithms it will accept for no negotiation
is needed. For certificates offered by the client, the server tells the client
what algorithms it will accept in the CertificateRequest.
https://tools.ietf.org/rfcmarkup?doc=5246#section-7.4.4

-Ekr

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email