TLS 1.3 handshake: Limit signature algorithm?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS 1.3 handshake: Limit signature algorithm?

Christian Heimes
Hi,

I'm one of the maintainers of Python's ssl module. A couple of days ago
Hanno Böck opened an issue [1] against ssl.get_server_certificate()
function [2][3]. It's a helper function to retrieve the end-entity
certificate from a remote TLS/SSL server over an unverified connection.

The implementation [3] is rather simple and has some limitations. Hanno
pointed out that it cannot handle servers with multiple certificate
types. For example Facebook supports RSA and ECDSA certs. Python's
ssl.get_server_certificate() can only retrieve the ECDSA cert. It's
fairly simple to fix the problem for TLS 1.2 and lower by limiting the
cipher suites to "aRSA:!NULL" for RSA certs and "aECDSA:!NULL" for ECDSA
certs [4].

However this trick will not work with TLS 1.3. The new TLS 1.3 cipher
suites no longer specify authentication algorithm or key
agreement/exchange. TLS 1.3 RFC specifies a signature_algorithms
extension [5]. I could not find any API call in OpenSSL master to set
the extension for TLS 1.3 handshakes.

How can a client enforce a specific authentication algorithm or set of
signature algorithms for TLS 1.3 handshake?

Regards,
Christian

[1] https://bugs.python.org/issue31892
[2] https://docs.python.org/3/library/ssl.html#ssl.get_server_certificate
[3] https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L1201-L1218
[4] https://gist.github.com/tiran/6e7a5b00483376e164c951730db7d4e5
[5] https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.3 handshake: Limit signature algorithm?

Matt Caswell-2


On 02/11/17 10:32, Christian Heimes wrote:
> However this trick will not work with TLS 1.3. The new TLS 1.3 cipher
> suites no longer specify authentication algorithm or key
> agreement/exchange. TLS 1.3 RFC specifies a signature_algorithms
> extension [5]. I could not find any API call in OpenSSL master to set
> the extension for TLS 1.3 handshakes.

Probably you want to look at these functions:

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_sigalgs.html

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users