IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Henrik Grubbström <grubba@gmail.com> Mon, 13 July 2015 14:21 UTC

Return-Path: <grubba@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9561B2B23 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 07:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7tMi2objQmJx for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 07:21:55 -0700 (PDT)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 199ED1B2B1F for <tls@ietf.org>; Mon, 13 Jul 2015 07:21:55 -0700 (PDT)
Received: by lbbzr7 with SMTP id zr7so2861015lbb.1 for <tls@ietf.org>; Mon, 13 Jul 2015 07:21:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=hJ5in02ZJSvg1MJeEREX+lBdl0qE429wYgWtHkgKb4o=; b=B6b117U+EyqnuIC1k9iHyHZhm5+3erwr3Uf56ImA8z0/EKMGWOFAJw/KPgnk8ejxja tOZFusK1O2mb1cdT2pxZ3+uNIVEnUBaUgdtw8NC7/Y7AmPmBzQnzQZW0uqUn7EqbMc6B NxgpFMeeallWHqXbMMoOinJffFdf6GTw27exZU2qlBxDyL5GSrLOaXmpgc4rQewl/U1g 9yekE3xFrpkYXqWO662TXiC1WcDLUIJttLFEI2tdWvgZioWzwd4U6ehOQ1cd5Tx3iJNc exFU2zBPn+Yyij6mgLmJb4flzTIlC3Dg/Y8CJA5UuwdzKbF42OOQUOEgaM/LXHo1Br4P RKUQ==
MIME-Version: 1.0
X-Received: by 10.152.37.196 with SMTP id a4mr32993804lak.59.1436797313573; Mon, 13 Jul 2015 07:21:53 -0700 (PDT)
Received: by 10.112.148.105 with HTTP; Mon, 13 Jul 2015 07:21:53 -0700 (PDT)
In-Reply-To: <20150710142944.C077C1A1D5@ld9781.wdf.sap.corp>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <20150710142944.C077C1A1D5@ld9781.wdf.sap.corp>
Date: Mon, 13 Jul 2015 16:21:53 +0200
Message-ID: <CALuAYvYXHF0FQg_q2F0Q6vW-i3JFFSn+cCup+ErcQD-u4aGVHA@mail.gmail.com>
From: Henrik Grubbström <grubba@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zZlkiUkNkBIyQBJToYKm63ux-_k>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 14:21:57 -0000

On Fri, Jul 10, 2015 at 4:29 PM, Martin Rex <mrex@sap.com> wrote:
> Henrik Grubbström wrote:
>>  Martin Rex <mrex@sap.com> wrote:
>>> The issue here is the (lack of the) TLSv1.2 signature_algorithms extension.
>>>
>>> Windows SChannel appears to treat the absence of this extension
>>> the same as the presence of an extension with (md5,rsa) (sha1,rsa) (sha1,dsa)
>>>
>>> If you send the TLSv1.2 signature_algorithms extension with the
>>> algorithm matching the signature of the server certificate, e.g.
>>> (sha256,rsa) in the above example, then a TLSv1.2 handshake will succeed.
>>
>> Sounds like it is complying with the TLS v1.2 RFC. Fix your client.
>
>
> Nope, _our_ client is perfectly compliant by _not_ sending TLS extensions.
> SCHannel is violating a MUST requirement, failing to properly process
> a ServerHello without a TLS extension.
>
> https://tools.ietf.org/html/rfc5246#section-7.4.1.2
>
>   7.4.1.2  ClientHello
>
>    extensions
>       Clients MAY request extended functionality from servers by sending
>       data in the extensions field.  The actual "Extension" format is
>       defined in Section 7.4.1.4.
>
>
>                                       A server MUST accept ClientHello
>    messages both with and without the extensions field,

Yes, and section 7.4.1.4.1 says that that means:

| If the client does not send the signature_algorithms extension, the
| server MUST do the following:
|
|   -  If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
|      DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
|      sent the value {sha1,rsa}.
|
|   -  If the negotiated key exchange algorithm is one of (DHE_DSS,
|      DH_DSS), behave as if the client had sent the value {sha1,dsa}.
|
|   -  If the negotiated key exchange algorithm is one of (ECDH_ECDSA,
|      ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}.

Which indicates that the server in effect MUST behave as if there was
an implicit signature_algorithms value of
{{sha1,rsa},{sha1,dsa},{sha1,ecdsa}}.

Section 7.4.2 then says that the certificate chain either MUST or
SHOULD (depending on the interpretation of the "behave as if" above)
be validated against the implicit signature_algorithms extension.

-- 
Henrik Grubbström                                       grubba@grubba.org
Roxen Internet Software AB                              grubba@roxen.com

v2.23.0 | Report a Bug | By Email