Open bernd-edlinger opened 1 day ago
If both versions support TLS-1.3 they must never choose older version. If they cannot agree on supported groups connection failure is inevitable.
The problem is the client cannot know how the server is configured, and therefore the server should take the
signature_algorithms
extension into account, because the meaning of the ECDSA signature algorithm IDs are
quite different for TLS1.3 and for TLS1.2:
TLS1.3 implies a 1:1 connection between ECDSA signature algorithms and EC groups,
but TLS1.2 allows the cross product of signature_algorithms
extension and supported_groups
extension.
The server should know that, and choose TLS1.2 if it has the freedom to do so.
If both sides support TLS 1.3, that should be used. Otherwise you can force the use of older TLS versions.
What you say means that, when the server does only support TLS1.2,
then a man in the middle could simply remove any signature that he don't like
from the signature_algorithms
extension of the client hello, say everything
with sha256, sha384 and sha512 in the name, and neither
the server nor the client will notice anything from this attack?
Please say that there is some kind of a posteriori authentication of the unencrypted handshake messages exchanged between client and server, even if the TLS1.2 protocol is used.
Please say that there is some kind of a posteriori authentication of the unencrypted handshake messages exchanged between client and server, even if the TLS1.2 protocol is used.
The entire handshake is authenticated in the Finished message.
The entire handshake is authenticated in the Finished message.
Thanks for the confirmation.
I want to use the received client hello's signature_algorithm
extension in
addition to the server's configured -sigalgs
in is_tls13_capable
to make
the right decision which protocol to use.
When an openssl-3.0 client wants to support brainpool server certificates, but also allow TLS1.3 with RSA certificates, everything works fine, when both client and server enable brainpool groups, in addition to nist groups. So the client has to use this command line:
./openssl s_client -groups P-256:brainpoolP256r1
and the openssl-3.0 server uses this command line for brainpool:./openssl s_server -cert ../test/certs/server-ecdsa-brainpoolP256r1-cert.pem -key ../test/certs/server-ecdsa-brainpoolP256r1-key.pem -groups P-256:brainpoolP256r1
or this command line for RSA:./openssl s_server
everything works fine, RSA use TLS1.3 and ECC use TLS1.2. Also if both server and client use openssl-3.2 everything works as well, except the ECC use TLS1.3, as expected. BUT the openssl-3.0 client cannot connect to the openssl-3.2 server when the server uses brainpool:Reason is the openssl-3.2 server chooses TLS1.3 although there is no signature algorithm
ecdsa_brainpoolP256r1_sha256
advertised by the openssl-3.0 client, so that is bound to fail. As a workaround either the openssl-3.0 client or the openssl-3.2 server could disable tls1_3 but that is not desirable for the RSA server.