TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
certificate that *only* lists:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
(which one might take to mean that only RSA key exchange is allowed,
and DHE-RSA is not, for lack of the DigitalSignature bit?
[ In the unlikely case it matters, the record the certificate
in question is self-signed, and has a DANE TLSA "3 0 1" record. ]
-- Background:
I am somewhat sympathetic to forbidding RSA key exchange when
"Key Encipherment" is not listed, in order to reduce the risk of
Bleichenbacher-type attacks, but it is not obvious at first blush
why one might the converse restriction...
The reason I ask is that the Haskell TLS library has recently added
enforcement in both directions, and I am finding some SMTP servers
with whose STARTTLS implementation my DANE scan engine no longer
interoperates.
And yet, FWIW, OpenSSL 1.1.1 continues to connect just fine. Is
this an oversight in OpenSSL? Overly strict enforcement in Haskell's
Network.TLS? Should the language in RFC8446 apply also to TLS 1.2
and earlier, where no mention of "keyUsage" is to be found in the
relevant specifications?
The text in 8446 is not crystal clear on the intent. Is keyUsage
enforcement (absent OID filters from the peer) a MUST? A SHOULD?
A BCP? And which directions should it apply in? That is, does
it make sense to require RSA key transport when DHE appears to
be disallowed?
In appendix E.8 of TLS 1.3 RFC8446
<https://tools.ietf.org/html/rfc8446#appendix-E.8�>
we find:
E.8. Attacks on Static RSA
Although TLS 1.3 does not use RSA key transport and so is not
directly susceptible to Bleichenbacher-type attacks [Blei98], if TLS
1.3 servers also support static RSA in the context of previous
versions of TLS, then it may be possible to impersonate the server
for TLS 1.3 connections [JSS15]. TLS 1.3 implementations can prevent
this attack by disabling support for static RSA across all versions
of TLS. In principle, implementations might also be able to separate
certificates with different keyUsage bits for static RSA decryption
and RSA signature, but this technique relies on clients refusing to
accept signatures using keys in certificates that do not have the
digitalSignature bit set, and many clients do not enforce this
restriction.
In 4.2.5 <https://tools.ietf.org/html/rfc8446#section-4.2.5> we
also find:
This document defines matching rules for two standard certificate
extensions defined in [RFC5280]:
- The Key Usage extension in a certificate matches the request when
all key usage bits asserted in the request are also asserted in
the Key Usage certificate extension.
But that's about explicit OID filters from the peer, not a-priori
constraints.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
