Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
Martin Rex <mrex@sap.com> Fri, 18 February 2011 19:28 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EB7F3A6E27 for <tls@core3.amsl.com>; Fri, 18 Feb 2011 11:28:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.225
X-Spam-Level:
X-Spam-Status: No, score=-10.225 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTvO43X3JWXC for <tls@core3.amsl.com>; Fri, 18 Feb 2011 11:28:10 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 2DE1F3A6D4A for <tls@ietf.org>; Fri, 18 Feb 2011 11:28:09 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1IJSUbc020807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 18 Feb 2011 20:28:30 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102181928.p1IJSThD006475@fs4113.wdf.sap.corp>
To: ekr@rtfm.com
Date: Fri, 18 Feb 2011 20:28:29 +0100
In-Reply-To: <AANLkTikNYQ2h=fLnwscf-d=CfQoFoH0bZ9_MAnLNX86J@mail.gmail.com> from "Eric Rescorla" at Feb 17, 11 12:54:35 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2011 19:28:11 -0000
Eric Rescorla wrote: > > Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote: > > If the server requests a client certificate then it has to store > > all messages up to (but not including) the CertificateVerify message. > > That is because he cannot possibly know which signature algorithm > > hash the client will use. > > Agreed. I can't recall if we discussed this when this feature was being > designed for 5246 but ISTM that the only way to have this work that > didn't have this property would be for the client to offer all his > certificates up-front and the server to select one, since it's > possible that each cert comes with a specific hash algorithm tied to it. I am quite confused by a few issues in TLSv1.2 / rfc-5246 about hash and signature algorithms. In particular, that TLSv1.2 forces TLS-proprietary digital signatures from the TLS handshake messages ServerKeyExchange and CertificateVerify into the same single algorithm negotiation with digital signatures on certificates appears to create significant new problems. rfc-5246, 7.4.2 Server Certificate last paragraph on page 49 http://tools.ietf.org/html/rfc5246#page-49 If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension. Note that this implies that a certificate containing a key for one signature algorithm MAY be signed using a different signature algorithm (for instance, an RSA key signed with a DSA key). ? This is ? a departure from TLS 1.1, which required that the algorithms be the ? same. I searched TLSv1.1 (rfc4346) from top to buttom but did NOT find any requirements about signature algorithms of certificates in that spec. I have also not noticed any such restrictions in TLS implementations I looked at. So I created a DSA-rootCA, an rsa-2048 server cert, started a TLSv1.0 with this and WindowsXP, Firefox3 an OpenSSL all happily communicate with it. So this part of rfc-5246 purports to solve a problem that actually does not exist in earlier versions of TLS. The "solution" that TLSv1.2 alleges to provides looks more like a cumbersome limitation to me. While there is zero problem of using certificate chains with arbitrary mixtures of signature algorithms in TLSv1.1 and prior, this doesn't work anymore when negotiating TLSv1.2, in particular for signature algorithms which can not be represented with the code points of TLSv1.2. TLS implementations that do not want to hang on to carry along all handshake messages may want the list of hashes permitted for the "digitally signed" construct in ServerKeyExchange and CertificateVerify to be as small as possible, while they may want to remain a liberal as possible about digital signature algorithms on certificates, similar to all version of TLS up to v1.1. It's unclear for me what motivated conflating two quite contradictory objectives into a single protocol element (the SignatureAlgorithm list in the ClientHelloExtension SignatureAlgorithm applying to both ServerCertificate and ServerKeyExchange handshake messages, and the list of SignatureAlgorithms in CertificateRequest applying to both ClientCertificate and CertificateVerify handshake messages. As a result of this, any PKIs with less common digital signature algorithms on path certificates that may have worked perfectly fine with SSLv3, TLSv1.0 and TLSv1.1, and continue to work with an implementation of TLSv1.2 that negotiates only v1.0 or v1.1 are required to fail by the TLSv1.2 spec when TLSv1.2 is negotiated, because of a lack of code points to represent digital signature AlgIDs plus the complete lack of knowledge about the AlgIDs supported in the PKI implementation within the architecturally independent TLS protocol stack. A year ago we started shipping support for GOST ciphersuites based on this proposal: http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04 in our (at that time OEM) implementation of TLSv1.0, with the GOST crypto algorithms provided to the TLS stack through a plugin- interface to a third-party (certifiable) GOST crypto plugin. A very similar capability exists in Windows XPsp2, where the GOST cipher suites can be used with SChannel and MSIE6 after installation of an adequate CryptoCSP, although XP's SChannel is an implementation of TLSv1.0 with _no_ TLS extensions. I believe there exists more flexibility in TLSv1.0/v1.1 architecture than rfc5246 asserts. -Martin
- [TLS] TLSv1.2 with DSA client cert and key size >… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Wan-Teh Chang
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- [TLS] TLS v1.2 performance (was Re: TLSv1.2 with … Michael D'Errico
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Nikos Mavrogiannopoulos
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Kemp, David P.
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Wan-Teh Chang
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yoav Nir
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Marsh Ray
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Kyle Hamilton
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Sean Turner
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex