IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Eric Rescorla <ekr@rtfm.com> Thu, 23 March 2017 15:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B17129781 for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 08:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUL8GJaRIJfk for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 08:23:55 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4E4012426E for <tls@ietf.org>; Thu, 23 Mar 2017 08:23:55 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id v76so149197921ywg.0 for <tls@ietf.org>; Thu, 23 Mar 2017 08:23:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=z+UBiA8KMTWrnrDXxdoQQU5+p3fPhlS3Gg12EzzEUCA=; b=q0J8DvD9cUwJUJF/oAju43bx1SnL7xDdaT19KR7aYOh0jUEbgibuS86bAAG8yXIC+9 tliYN4Ish2IXBMhxkSKU89yzLdncE0tqrbmagiVLi9kUHUG3DkFDNm5sMII64K+5qFRE UXo+YBNFBswdjId6QtD9ro1Ynmn1V3a3ibRQCaFU+LXXvswG0JlAzwmOm4ucWnF9SnE7 2x0AWoUydnXdie373tHA/8Vu0lxtAF/Ih+w2zB/sQN0wTZrgXNBH6cwsoL/EqS0jaqER R8XNKuOQWjNAdcM0YEL5h5K8NQ9M8M/ehGdsbxLhfVBbikqFxfFR1icOsap/Cu5w30M1 IhRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=z+UBiA8KMTWrnrDXxdoQQU5+p3fPhlS3Gg12EzzEUCA=; b=c1xuEZFr+XqJI5ue3St1Uckhas3hvJsqvYmsoHH5iiw+f/TgeZtvDFpuf/DN4Dl1BF 8ffSEy0APrqXwmX0f6iZf12BB6PCot7s+8cGQld9pHoun/IWAPFLUZesszyslE17yADn fAKZ1dQlE5BtiTb36lQFVH9kjrV21eeJIrlziWMbKUzI2vmnXAF3Muzexo3XhFPJ0MTI DtQKAhrAG/cHtuPpzWhGBhwpH+Jm6dLNEJ1YfDdjM4j04VY6USsZ5X578Q+HFnSSpGxT xj7XTJZdIJ5gK/7bxCa3snhZQu0SnfGLacRW6O04hPb9brg98II+VE185x34F+XPsW4j 3wRA==
X-Gm-Message-State: AFeK/H0WR4akl+p/3O1d9wWlh8VCkw06s2hRgeB0lISyPUrOLxo/koNmBitEMsEGAg1TLGftjYnfOaEW9TO8uA==
X-Received: by 10.37.53.138 with SMTP id c132mr2100572yba.105.1490282634751; Thu, 23 Mar 2017 08:23:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Thu, 23 Mar 2017 08:23:14 -0700 (PDT)
In-Reply-To: <4DD1F233-D659-4F79-9ADA-BC31A49DA653@dukhovni.org>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net> <4DD1F233-D659-4F79-9ADA-BC31A49DA653@dukhovni.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 23 Mar 2017 08:23:14 -0700
Message-ID: <CABcZeBNu_9EHKWFzWFvtcUZ5GA5SQ8DbjHqEvn4yjBLH6=yuXg@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114bbb320f478f054b6777d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zx14CTYleReeNYJZWZxi6pUXh5s>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 15:23:58 -0000

On Thu, Mar 23, 2017 at 7:39 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On Mar 23, 2017, at 10:31 AM, Fries, Steffen <steffen.fries@siemens.com>
> wrote:
> >
> > According to  TLS 1.2 section 7.4.1.4.1. a client may use the
> > signature_algorithm extension to signal any combinations the
> > client supports, listed in the order of preferences.
>
> The signature algorithm is primarily about signatures made as part
> of the TLS handshake, and not so much signatures in certificates.
>

This does not seem consistent with
https://tools.ietf.org/rfcmarkup?doc=5246#section-7.4.2

"If the client provided a "signature_algorithms" extension, then all
certificates provided by
the server MUST be signed by a hash/signature algorithm pair that appears
in that extension."

I appreciate that there are people who feel that this rule is bad, and
to some extent it has been relaxed in 1.3, but I think the text is
pretty clear here.


> If the client does not use this extension, the server must use the
> > signature algorithm in combination with SHA1.
>
> For signing the TLS key exchange, however, it should still present
> whatever certificate chain it has, even if that chain employs SHA256.
> It is exceedingly unlikely these days that a client will not support
> SHA256 signatures in the certificate chain.
>

Yes, that's generally true. Though a TLS 1.2 client which does not offer
SHA-256
in its ClientHello but accepts SHA-256 is broken. So, this should generally
only happen with TLS 1.1 and below.



> Unfortunately the server is not allowed to use this extension, otherwise
> > he could tell the client his preferences according to his security
> policy.
>
> The protocol (as it should) lacks the additional round-trips necessary for
> the server to initiate signature algorithm negotiation.
>

I'm not sure quite what the OP Is trying to achieve here. For certificates
offered
by the server, the client just tells you what algorithms it will accept for
no negotiation
is needed. For certificates offered by the client, the server tells the
client
what algorithms it will accept in the CertificateRequest.
https://tools.ietf.org/rfcmarkup?doc=5246#section-7.4.4

-Ekr

v2.23.0 | Report a Bug | By Email