Geoffrey Keating <geo...@geoffk.org> wrote: > Viktor Dukhovni <ietf-d...@dukhovni.org> writes: >> >> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer >> certificate that *only* lists: >> >> X509v3 Key Usage: >> Key Encipherment, Data Encipherment > > Yes, because in DHE-RSA, the RSA key is used for signing, and this is > an encryption-only key.
There is *ZERO* security problem associated with TLS client allowing a TLS server to do this, but it makes it harder to catch defective CA software and bogus CA issuing practices when clients do not complain here -- and the TLS specification says this KeyUsage DigitalSignature is a MUST for DHE/ECDHE key exchange: TLSv1.2: https://tools.ietf.org/html/rfc5246#page-49 DHE_RSA RSA public key; the certificate MUST allow the ECDHE_RSA key to be used for signing (the digitalSignature bit MUST be set if the key usage extension is present) with the signature scheme and hash algorithm that will be employed in the server key exchange message. Note: ECDHE_RSA is defined in [TLSECC]. TLSv1.0: https://tools.ietf.org/html/rfc2246#page-38 CAs and CA software that issues certificates as TLS server certificates (i.e. with ExtKeyUsage id-kp-serverAuth, id-kp-clientAuth or both) and forgets to assert DigitalSignature, prove their own royal brokenness. Using an RSA key for PKCS#1 v1.5 signatures is *NO* security problem. Do not get confused by the FUD and snake-oil that resulted in the needless additional complexity of RSA-PSS in TLSv1.3, that adds ZERO security value. https://www.schneier.com/blog/archives/2018/09/evidence_for_th.html https://eprint.iacr.org/2018/855 There is some security risk with using an RSA signing-only key for PKCS#1 v1.5 encryption, i.e. the equivalent of using a keyUsage without keyEncipherment for static-RSA key exchange -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls