Re: [TLS] Doubts in draft-ietf-tls-rfc4492bis

David Benjamin <> Mon, 24 July 2017 16:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33F83131E9D for <>; Mon, 24 Jul 2017 09:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z7q5mD71V9aR for <>; Mon, 24 Jul 2017 09:27:20 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E7078131E97 for <>; Mon, 24 Jul 2017 09:27:19 -0700 (PDT)
Received: by with SMTP id v190so59255885pgv.2 for <>; Mon, 24 Jul 2017 09:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ChUkFGCxv5itwfOG1NGC6qxn2AvgCuC85tnZiJTtUb0=; b=H4mQbUZYdBkFVeBpagMtMVLixDzPCU3vYqGKa8IU+0thyGPxmMH0yMcdfIZcT3HCFd XiFe/lZFmQbwmK2q/5/Jjwzm3eKTcSfUFIwTqFz+ljwkZChO0Q8y/Sg9HZePyBDRl5Zw 7AKoCHGxULjx1oznxPhVnCF7cldoAjN+x+x4M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ChUkFGCxv5itwfOG1NGC6qxn2AvgCuC85tnZiJTtUb0=; b=KrfmLwvq71xoi+XK4wr0uew/lBX1uI5pMs6lEifRxtD/qw/IS62KRaFt1I8PRslRyK QFtfYi8feWynkccVb/jdTBwbhXKmKx2ei9DjprcZbST4/urLxAH0JEc9WlMaLCduuGk/ eQQhCei1ARtEqchTOJU6ChbaDPj6ATB/UWyFT9Ea2+D4p9NOHfDMpqjJfoy7f4pSDnlC YbfnMKhrehuMci1qteFqkZrY7mZZgbomgZPC+c3LsxANRPJMKpVfLm4JpJgKviltTXFM EHMfbrrJEohfdn0i2wqHpA8hjyZDAus710Yf0KaCo0x8cUsa4MetLAHJLvTisB2u/1qQ IOLg==
X-Gm-Message-State: AIVw112gu7ae8ScjpJ1m+JB+hgDllzqABMxtgX+rXlDQ92dS+Ug3z7HY r8iMYJUsjsxLR2x+WSQT+3GPbfeP6A/3
X-Received: by with SMTP id v15mr16676127pgq.229.1500913639313; Mon, 24 Jul 2017 09:27:19 -0700 (PDT)
MIME-Version: 1.0
References: <> <20170724145815.xuhzjqsbnf5eardr@LK-Perkele-VII>
In-Reply-To: <20170724145815.xuhzjqsbnf5eardr@LK-Perkele-VII>
From: David Benjamin <>
Date: Mon, 24 Jul 2017 16:27:08 +0000
Message-ID: <>
To: Ilari Liusvaara <>, Raja ashok <>
Cc: "<>" <>
Content-Type: multipart/alternative; boundary="089e082249e04fcd63055512b057"
Archived-At: <>
Subject: Re: [TLS] Doubts in draft-ietf-tls-rfc4492bis
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Jul 2017 16:27:22 -0000

I believe what Raja is pointing out is that a server which accepts an ECDSA
*client* certificate has no way to advertise to the client which curves it
accepts. The signature algorithm list (and before TLS 1.2, the certificate
types) do advertise ECDSA as a whole, but not curves. E.g., a client with
both a P-256 and P-384 certificate may send P-384 when the server only
accepted P-256. This issue existed in RFC 4492 as well.

Though I wouldn't say the implication is all curves must be implemented.
Rather I think you just reject those curves you don't accept and manage
your client certificate deployment so that all servers accept a curve
before starting to use those certificates.

That's not great, so TLS 1.3 fixes this by moving ECDSA curves into
signature algorithms. It's too late to change supported_groups to allow a
TLS 1.2 ServerHello acknowledgement since clients will unexpected server
extensions[*], so I would suggest we just leave this in the awkward state
for TLS 1.2 and say it is fixed in TLS 1.3.


[*] Although, glancing through ours, it seems we do accept and ignore a
ServerHello supported_groups in TLS 1.2. We apparently came across a server
implementation which sent it, contrary to the spec.

On Mon, Jul 24, 2017 at 10:58 AM Ilari Liusvaara <>;

> On Mon, Jul 24, 2017 at 01:48:13PM +0000, Raja ashok wrote:
> > Hi Nir, Josefsson & Pegourie,
> >
> > As per section 5.2 server should send only "Supported Point Format"
> > extensions in server hello message. And it doesn't require to send
> > "Supported Elliptic Curve" extensions. Because of this if server is
> > supporting only few Curves and if it receives unsupported Elliptic
> > curve in client certificate message, then server might not be able
> > to continue the handshake.
> In TLS 1.2, the client sends the list of curves (and other groups
> and DHFs) it supports. The server picks one if it can.
> Thus if there is at least one common curve that both client and
> server support, then the group selection will succeed (if there
> is none, then no matter what one does things won't work).
> The actual curve server selected is transmitted in ServerKeyExchange
> message.
> In TLS 1.3, things get bit more complicated, since client can
> signal it supports a group without sending a share for it (if
> server selects such group, it needs to tell the client to retry
> using HelloRetryRequest message). The server group selection is
> in KeyShare extension in ServerHello message.
> -Ilari
> _______________________________________________
> TLS mailing list