IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

mrex@sap.com (Martin Rex) Mon, 13 July 2015 17:45 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62AE91B2CB5 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 10:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mV9JXH39SCwp for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 10:45:07 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 134911B2CC3 for <tls@ietf.org>; Mon, 13 Jul 2015 10:45:06 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 7CD1A2A8AA; Mon, 13 Jul 2015 19:45:03 +0200 (CEST)
X-purgate-ID: 152705::1436809503-0000413A-34B513B6/0/0
X-purgate-size: 1964
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 6F6F940494; Mon, 13 Jul 2015 19:45:03 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 66E451A1DD; Mon, 13 Jul 2015 19:45:03 +0200 (CEST)
In-Reply-To: <BLUPR03MB1396DF5184A7E3DFAF3F11028C9C0@BLUPR03MB1396.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Mon, 13 Jul 2015 19:45:03 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150713174503.66E451A1DD@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xpLCJBDKw4_J4pyLZcsPNM1lxEA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 17:45:08 -0000

Andrei Popov wrote:
>
> I think a good design is to have the client explicitly advertise any
> algorithms the client is willing/able to support, and for the server
> to honor the client's capabilities.

A good design provides robust interop and good backwards-interoperability,
and a reasonble default set of algorithms to be unconditionally available.
Why TLSv1.2 did imply availability of sha256WithRsaEncryption by default,
is beyond my understanding.

The rfc5246 PDU Definition for ClientHello clearly makes HelloExtensions
and optional (MAY) feature for clients and the acceptance of extension-less
ClientHellos a mandatory (MUST) feature for Servers.  Similarily,
Appendix E allows the use of a SSL Version 2 CLIENT-HELLO instead of
and extension-less TLS ClientHello,

It has already been observed by others, a server can not make up
signatures with client-requested signature schemes at will during
the TLS handshake, but can only pick from the set of existing
server certificates that have been preconfigured by the server admin
-- and often this may be just one single server certificate.

The server responding with an ambiguous "handshake_failure" if the
admin-configured server cert does not fit the silly "implicit" algs
that a server boldly assumes based on the design-flawed wording
in rfc5246 7.4.1.4.1 in absence of ClientHelloExtensions is
is a bad idea, and if the client-visible behaviour is a silent
connection closure (this is what Microsoft IIS does) it is the
worst possible outcome.  This behaviour is completely indistinguishable
from that of defective extensions-intolerant and TLS-version
intolerant servers!


Would the server respond with the next best fit (the way this has been
and still is being done, even by Microsoft SChannel, for SSLv3, TLSv1.0
and TLSv1.1), then the client can at least produce a meaningful
error message and show the certificates that it can not process.


-Martin

v2.23.0 | Report a Bug | By Email