Server does not respect client provided hash algorithm list

[ondrap]

I would like to use some Go client to connect to haskell using TLS, however it seems that the Go client doesn't understand SHA512. It correctly sends this information in Client HELO, yet the server responds with SHA512 in the EC Diffie-Hellman server params. It seems to me that the server doesn't merge client and server supported hash algorithms and just uses what the server has in serverSupported.

I limited it and got "unimplemented RSA signature hash type: HashSHA384", limiting it to SHA256 ultimately solved the problem.

[valpackett]

I'm currently seeing "unimplemented RSA signature hash type: HashSHA384" when connecting to a Go server from a Haskell client!

What is it with Haskell and Go :-(

UPD: sent a PR: #138

[kazu-yamamoto]

If this is already fixed by #138, please close this issue.

[ondrap]

I think #138 doesn't really fix the issue; it adds a SHA384 to the supported ciphers, which mitigates the problem with Go servers (and clients? I haven't tested it - maybe not), however the problem is that the server should check its cipher list against the client provided list and choose a cipher from the intersection of these 2 lists. It seems to me the server doesn't do that.

[kazu-yamamoto]

I suddenly remembered that I have hit upon the same thing in Warp, too:

https://github.com/yesodweb/wai/commit/172665439cf377370ae0fe9465301015b25e908d

[kazu-yamamoto]

It correctly sends this information in Client HELO

@ondrap Do you mean the signature algorithm extensions in client hello? If so, Haskell server should compute intersection between the values of the extension and supportedHashSignatures.

[kazu-yamamoto]

I would like to have test cases for this. Any volunteers?

[ondrap]

Do you mean the signature algorithm extensions in client hello? If so, Haskell server should compute intersection between the values of the extension and supportedHashSignatures.

Probably... I'm no well versed in tls - I remember I just checked the hs-tls sources and found out it doesn't do that; and I think it should. But I didn't see an obvious way to make a PR.

My test case was connecting the go client (I used the winlogbeats/filebeats from elasticsearch). I could probably try to test it out again.

[kazu-yamamoto]

OK. Now I can reproduce this by reverting the patch above in Warp and h2spec written in Go.

[kazu-yamamoto]

177 should fix this issue.

[kazu-yamamoto]

This has been fixed. Let's close.