IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Dave Garrett <davemgarrett@gmail.com> Fri, 10 July 2015 15:37 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFAED1B29F8 for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 08:37:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7Q-XN4xp03m for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 08:37:56 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31CCE1B29FE for <tls@ietf.org>; Fri, 10 Jul 2015 08:37:47 -0700 (PDT)
Received: by qkdv3 with SMTP id v3so13978951qkd.3 for <tls@ietf.org>; Fri, 10 Jul 2015 08:37:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=+vLCgBACXfuovxGEkBvaMEj7XRAQN4SV1hEvr9bh/MU=; b=gyzQoAEN9/n1LG0SywP4kHCXMgaeAplHFbPMDu6/VTveKoAEeUX9J9PnuJlv9Ol2GE 6mj1rpRQYh5mUzrnReqtaW56RJHLDdDb9r43H2n50iFDOCCuqLuxiGVhJ5MTWEEBErRs WhFQ1Sbh5KQqZ7Uj8oQOUjtrrOHOAKXNO3TNIkoh0hvZJIKdtKmXcByfmUcQ8IIYrnoy kGvyDgQbwJsKmWgk9Jnn2YMwFlAHdel69FV0yG/RJhRIxZgp4qFWRB6KnAFCw+MS38nP oTqR8MKHRwn2gnHOGU7jw357jPF4hdC1xys/Dk9K6SkEYAbXpXUNQ9Eve4TJWBrL80G2 4SWA==
X-Received: by 10.140.96.38 with SMTP id j35mr33989715qge.43.1436542666495; Fri, 10 Jul 2015 08:37:46 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by smtp.gmail.com with ESMTPSA id f106sm5899470qgd.30.2015.07.10.08.37.45 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 10 Jul 2015 08:37:45 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 10 Jul 2015 11:37:44 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <CACsn0c=W8c5KjHtVEpHeBVy-ifJxTKoN1+WXP0EZ8fJqqd3yxA@mail.gmail.com> <20150710150514.GS28047@mournblade.imrryr.org>
In-Reply-To: <20150710150514.GS28047@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201507101137.44703.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uLT3SkxYwBHSoy03YL7R7OQ9Bac>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 15:37:59 -0000

On Friday, July 10, 2015 11:05:15 am Viktor Dukhovni wrote:
> Yes, when possible servers should provide a chain that is more
> likely to be understood by the client.  But refusing to provide
> the chain they have, just because the client did not disclose every
> signature algorithm it supports (or simply did not send any) is a
> mistake in the implementation and likely a design error in the
> specification.

A TLS 1.2 client is not capable of not indicating at least some set of support. (unless it sends an invalid empty extension)

https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1

   If the client supports only the default hash and signature algorithms
   (listed in this section), it MAY omit the signature_algorithms
   extension.  If the client does not support the default algorithms, or
   supports other hash and signature algorithms (and it is willing to
   use them for verifying messages sent by the server, i.e., server
   certificates and server key exchange), it MUST send the
   signature_algorithms extension, listing the algorithms it is willing
   to accept.

   If the client does not send the signature_algorithms extension, the
   server MUST do the following:
   [use SHA1 defaults]

The only instance a TLS 1.2 client is allowed to omit the extension is when it only support the defaults. If it doesn't support the default or supports something else (or both) then it MUST send the extension. The server MUST interpret the lack of an extension as equivalent to sending SHA1 support. A client not sending the extension is telling the server not to send it anything other than SHA1.

Yes, it doesn't explicitly say what the server should do when the client has not indicated support for anything it has, but a client is in the wrong for not indicating it. The client side is a spec error; the server side is just problematic.


Dave

v2.23.0 | Report a Bug | By Email