Closed
Bug 1155922
Opened 10 years ago
Closed 10 years ago
NSS should offer SHA512 as a supported signature_algorithm in TLS client hello
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.19
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(1 file)
981 bytes,
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
We're seeing a failure to connect using NSS with TLS 1.2 to a MS server.
After sending the client hello, the server immediately disconnects.
The server's certificate is signed using sha512WithRSAEncryption.
After some testing, I experimented by adding
tls_hash_sha512, tls_sig_rsa,
tls_hash_sha512, tls_sig_ecdsa,
to the array in function ssl3_ClientSendSigAlgsXtn.
With that tweak, the server was willing to continue the connection.
I believe the addition of tls_sig_rsa was sufficient, because the server selected a RSA cipher suite.
I have already discussed with Wan-Teh.
He said, either Adam Langley or Wan-Teh may have omitted the sha512 entries from signature_algorithms to make ClientHello shorter, and they expected CA certificates to use SHA384 instead of SHA512 signatures.
The NSS code might already support this data, and in my testing, the handshake with the server succeeds.
Assignee | ||
Comment 1•10 years ago
|
||
Assignee | ||
Comment 2•10 years ago
|
||
For the record:
I see that both OpenSSL and GnuTLS offer:
SHA512+DSA, SHA384+DSA, SHA224+RSA, SHA224+DSA, SHA224+ECDSA
in their handshake, too.
On top of that, only OpenSSL offers SHA384+DSA, SHA512+DSA, MD5+RSA.
Assignee | ||
Comment 3•10 years ago
|
||
If you still would like to keep it as small as possible, we could use this patch.
Let me know if you think we should avoid running into this error again with other combinations, and if you think should add more.
Attachment #8594312 -
Flags: review?(wtc)
Comment 4•10 years ago
|
||
Comment on attachment 8594312 [details] [diff] [review]
patch v1
r=wtc. Thanks.
Attachment #8594312 -
Flags: review?(wtc) → review+
Assignee | ||
Comment 5•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.19
Updated•10 years ago
|
Assignee: nobody → kaie
Priority: -- → P1
You need to log in
before you can comment on or make changes to this bug.
Description
•