Skip to content
  1. Jun 25, 2017
    • Benjamin Kaduk's avatar
      Add constants for TLS 1.3 SignatureScheme values · d499a3e1
      Benjamin Kaduk authored
      
      
      Put them into the TLSProxy::Message namespace along with the extension
      type constants.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/3326)
      d499a3e1
    • Benjamin Kaduk's avatar
      Disallow DSA/SHA1/etc. for pure TLS 1.3 ClientHellos · 6ffeb269
      Benjamin Kaduk authored
      
      
      In draft-ietf-tls-tls13-20 Appendix B we find that:
      
         This section describes protocol types and constants.  Values listed
         as _RESERVED were used in previous versions of TLS and are listed
         here for completeness.  TLS 1.3 implementations MUST NOT send them
         but might receive them from older TLS implementations.
      
      Similarly, in section 4.2.3 we see:
      
         Legacy algorithms  Indicates algorithms which are being deprecated
            because they use algorithms with known weaknesses, specifically
            SHA-1 which is used in this context with either with RSA using
            RSASSA-PKCS1-v1_5 or ECDSA.  These values refer solely to
            signatures which appear in certificates (see Section 4.4.2.2) and
            are not defined for use in signed TLS handshake messages.
            Endpoints SHOULD NOT negotiate these algorithms but are permitted
            to do so solely for backward compatibility.  Clients offering
            these values MUST list them as the lowest priority (listed after
            all other algorithms in SignatureSchemeList).  TLS 1.3 servers
            MUST NOT offer a SHA-1 signed certificate unless no valid
            certificate chain can be produced without it (see
            Section 4.4.2.2).
      
      However, we are currently sending the SHA2-based DSA signature schemes
      and many SHA1-based schemes, which is in contradiction with the specification.
      
      Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by
      stability requirements to continue to offer the DSA signature schemes
      and the deprecated hash algorithms.  at least until OpenSSL 1.2.
      However, for pure TLS 1.3 clients that do not offer lower TLS versions,
      we can be compliant.  Do so, and leave a note to revisit the issue when
      we are permitted to break with sacred historical tradition.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/3326)
      6ffeb269
  2. Jun 24, 2017
  3. Jun 23, 2017
  4. Jun 22, 2017
  5. Jun 21, 2017