Re: [TLS] Doubts in draft-ietf-tls-rfc4492bis

David Benjamin <davidben@chromium.org> Mon, 24 July 2017 16:27 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33F83131E9D for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 09:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7q5mD71V9aR for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 09:27:20 -0700 (PDT)
Received: from mail-pg0-x22e.google.com (mail-pg0-x22e.google.com [IPv6:2607:f8b0:400e:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7078131E97 for <tls@ietf.org>; Mon, 24 Jul 2017 09:27:19 -0700 (PDT)
Received: by mail-pg0-x22e.google.com with SMTP id v190so59255885pgv.2 for <tls@ietf.org>; Mon, 24 Jul 2017 09:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ChUkFGCxv5itwfOG1NGC6qxn2AvgCuC85tnZiJTtUb0=; b=H4mQbUZYdBkFVeBpagMtMVLixDzPCU3vYqGKa8IU+0thyGPxmMH0yMcdfIZcT3HCFd XiFe/lZFmQbwmK2q/5/Jjwzm3eKTcSfUFIwTqFz+ljwkZChO0Q8y/Sg9HZePyBDRl5Zw 7AKoCHGxULjx1oznxPhVnCF7cldoAjN+x+x4M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ChUkFGCxv5itwfOG1NGC6qxn2AvgCuC85tnZiJTtUb0=; b=KrfmLwvq71xoi+XK4wr0uew/lBX1uI5pMs6lEifRxtD/qw/IS62KRaFt1I8PRslRyK QFtfYi8feWynkccVb/jdTBwbhXKmKx2ei9DjprcZbST4/urLxAH0JEc9WlMaLCduuGk/ eQQhCei1ARtEqchTOJU6ChbaDPj6ATB/UWyFT9Ea2+D4p9NOHfDMpqjJfoy7f4pSDnlC YbfnMKhrehuMci1qteFqkZrY7mZZgbomgZPC+c3LsxANRPJMKpVfLm4JpJgKviltTXFM EHMfbrrJEohfdn0i2wqHpA8hjyZDAus710Yf0KaCo0x8cUsa4MetLAHJLvTisB2u/1qQ IOLg==
X-Gm-Message-State: AIVw112gu7ae8ScjpJ1m+JB+hgDllzqABMxtgX+rXlDQ92dS+Ug3z7HY r8iMYJUsjsxLR2x+WSQT+3GPbfeP6A/3
X-Received: by 10.101.70.15 with SMTP id v15mr16676127pgq.229.1500913639313; Mon, 24 Jul 2017 09:27:19 -0700 (PDT)
MIME-Version: 1.0
References: <FDFEA8C9B9B6BD4685DCC959079C81F5E2301151@BLREML503-MBX.china.huawei.com> <20170724145815.xuhzjqsbnf5eardr@LK-Perkele-VII>
In-Reply-To: <20170724145815.xuhzjqsbnf5eardr@LK-Perkele-VII>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 24 Jul 2017 16:27:08 +0000
Message-ID: <CAF8qwaDOkmSvVkOB80VkxVBDaSphgfJFWeaD3J6DtferxnTSfg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Raja ashok <raja.ashok@huawei.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e082249e04fcd63055512b057"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/szuN_lsapy3W1shMJFucASU4Qys>
Subject: Re: [TLS] Doubts in draft-ietf-tls-rfc4492bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 16:27:22 -0000

I believe what Raja is pointing out is that a server which accepts an ECDSA
*client* certificate has no way to advertise to the client which curves it
accepts. The signature algorithm list (and before TLS 1.2, the certificate
types) do advertise ECDSA as a whole, but not curves. E.g., a client with
both a P-256 and P-384 certificate may send P-384 when the server only
accepted P-256. This issue existed in RFC 4492 as well.

Though I wouldn't say the implication is all curves must be implemented.
Rather I think you just reject those curves you don't accept and manage
your client certificate deployment so that all servers accept a curve
before starting to use those certificates.

That's not great, so TLS 1.3 fixes this by moving ECDSA curves into
signature algorithms. It's too late to change supported_groups to allow a
TLS 1.2 ServerHello acknowledgement since clients will unexpected server
extensions[*], so I would suggest we just leave this in the awkward state
for TLS 1.2 and say it is fixed in TLS 1.3.

David

[*] Although, glancing through ours, it seems we do accept and ignore a
ServerHello supported_groups in TLS 1.2. We apparently came across a server
implementation which sent it, contrary to the spec.

On Mon, Jul 24, 2017 at 10:58 AM Ilari Liusvaara <ilariliusvaara@welho.com>;
wrote:

> On Mon, Jul 24, 2017 at 01:48:13PM +0000, Raja ashok wrote:
> > Hi Nir, Josefsson & Pegourie,
> >
> > As per section 5.2 server should send only "Supported Point Format"
> > extensions in server hello message. And it doesn't require to send
> > "Supported Elliptic Curve" extensions. Because of this if server is
> > supporting only few Curves and if it receives unsupported Elliptic
> > curve in client certificate message, then server might not be able
> > to continue the handshake.
>
> In TLS 1.2, the client sends the list of curves (and other groups
> and DHFs) it supports. The server picks one if it can.
>
> Thus if there is at least one common curve that both client and
> server support, then the group selection will succeed (if there
> is none, then no matter what one does things won't work).
>
> The actual curve server selected is transmitted in ServerKeyExchange
> message.
>
>
> In TLS 1.3, things get bit more complicated, since client can
> signal it supports a group without sending a share for it (if
> server selects such group, it needs to tell the client to retry
> using HelloRetryRequest message). The server group selection is
> in KeyShare extension in ServerHello message.
>
>
> -Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>