Currently TLS has two alert descriptions for when there is no intersection between ciphers/sigalgs/groups advertises by client and ones that are enabled in server. It's the handshake_failure and insufficient_security alerts.
While it is a step in good direction in providing users with better messages in case of connection failure, I think there is one edge case which may ruin the effort. Let's say we have a client that advertises following signature methods: rsa-ssa-sha256 rsa-ssa-sha384 and this client is connecting to server which requires use of rsa-ssa-sha512 signatures only, but does implement weaker hashes and the requirement is just result of administrator requiring high security. I think that such connection attempt should end with insufficient_security. Problem is, what if the server does not implement some even never RSA signature format, but client does advertise support for them? I think then the connection should end with handshake_failure. So I think we should add to the insufficient_security description the following sentence: In case the connection peer advertised security parameters not recognized or unsupported by the implementation, the implementation MUST send "handshake_failure" alert instead. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
