Closed Bug 1195434 Opened 4 years ago Closed 3 years ago

Configure signature algorithms support

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox43 --- affected
firefox52 --- fixed

People

(Reporter: mt, Assigned: keeler)

References

(Depends on 1 open bug)

Details

(Whiteboard: [psm-backlog])

Attachments

(1 file)

NSS has a hard-coded set of signature algorithms that it supports.  This governs what NSS advertises and uses.  It does not, however, govern what mozilla::pkix does with certificate validation.  We need to make those two things consistent, or will we have NSS advertise support for something that mozilla::pkix won't accept, which is bad.

If there were some way to configure signature algorithm support in both these modules, then having PSM set that configuration item directly on each would ensure that it can keep the signature algorithms consistent between NSS and mozilla::pkix.
mt, are you looking for something like bug 1271143 here, or is this more of an additional mechanism to synchronize what mozilla::pkix supports and NSS advertises?
Flags: needinfo?(martin.thomson)
Yes, SSL_SignaturePrefSet.  This should probably fix bug 1271143.
Flags: needinfo?(martin.thomson)
Whiteboard: [psm-backlog]
Priority: -- → P2
Assignee: nobody → dkeeler
Priority: P2 → P1
Comment on attachment 8807275 [details]
bug 1195434 - specify what signature schemes the platform will actually accept in TLS handshakes

https://reviewboard.mozilla.org/r/90492/#review90258

::: security/manager/ssl/nsNSSIOLayer.cpp:2451
(Diff revision 1)
> +  ssl_sig_rsa_pkcs1_sha1,
> +  ssl_sig_rsa_pkcs1_sha256,
> +  ssl_sig_rsa_pkcs1_sha384,
> +  ssl_sig_rsa_pkcs1_sha512,
> +  ssl_sig_ecdsa_secp256r1_sha256,
> +  ssl_sig_ecdsa_secp384r1_sha384,
> +  ssl_sig_ecdsa_secp521r1_sha512,
> +  ssl_sig_rsa_pss_sha256,
> +  ssl_sig_rsa_pss_sha384,
> +  ssl_sig_rsa_pss_sha512,
> +  ssl_sig_ed25519,
> +  ssl_sig_ed448,
> +  ssl_sig_ecdsa_sha1,

The order of these really matters. We should put the things we want most first.

I would put sha1 to the bottom.  Prioritize PSS over pkcs1 too.

Finally, we don't support ed25519 or ed448 in NSS, so those are going to be ignored by NSS.  I don't think you should be setting those.  With this, you will automatically pick up those functions if NSS ever implements them.  That might be surprising, so remove those.

r+ if you pick the following order, otherwise, I'm happy to discuss:

  ssl_sig_ecdsa_secp256r1_sha256,
  ssl_sig_ecdsa_secp384r1_sha384,
  ssl_sig_ecdsa_secp521r1_sha512,
  ssl_sig_rsa_pss_sha256,
  ssl_sig_rsa_pss_sha384,
  ssl_sig_rsa_pss_sha512,
  ssl_sig_rsa_pkcs1_sha256,
  ssl_sig_rsa_pkcs1_sha384,
  ssl_sig_rsa_pkcs1_sha512,
  ssl_sig_ecdsa_sha1,
  ssl_sig_rsa_pkcs1_sha1,
  
(I really wish we could get rid of the SHA-1 variants, do we have a plan to remove them eventually?)
Attachment #8807275 - Flags: review?(martin.thomson) → review+
Duplicate of this bug: 1271143
Comment on attachment 8807275 [details]
bug 1195434 - specify what signature schemes the platform will actually accept in TLS handshakes

https://reviewboard.mozilla.org/r/90492/#review90258

Thanks!

> The order of these really matters. We should put the things we want most first.
> 
> I would put sha1 to the bottom.  Prioritize PSS over pkcs1 too.
> 
> Finally, we don't support ed25519 or ed448 in NSS, so those are going to be ignored by NSS.  I don't think you should be setting those.  With this, you will automatically pick up those functions if NSS ever implements them.  That might be surprising, so remove those.
> 
> r+ if you pick the following order, otherwise, I'm happy to discuss:
> 
>   ssl_sig_ecdsa_secp256r1_sha256,
>   ssl_sig_ecdsa_secp384r1_sha384,
>   ssl_sig_ecdsa_secp521r1_sha512,
>   ssl_sig_rsa_pss_sha256,
>   ssl_sig_rsa_pss_sha384,
>   ssl_sig_rsa_pss_sha512,
>   ssl_sig_rsa_pkcs1_sha256,
>   ssl_sig_rsa_pkcs1_sha384,
>   ssl_sig_rsa_pkcs1_sha512,
>   ssl_sig_ecdsa_sha1,
>   ssl_sig_rsa_pkcs1_sha1,
>   
> (I really wish we could get rid of the SHA-1 variants, do we have a plan to remove them eventually?)

Ah, makes sense. I went with the order you recommended. I agree it would be nice to get rid of the SHA-1 variants. I wouldn't say we have a concrete plan at the moment, but I'm sure we could implement a "try the handshake without them and see if we need to retry while gathering telemetry" scheme.
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ca0017c90ad0
specify what signature schemes the platform will actually accept in TLS handshakes r=mt
https://hg.mozilla.org/mozilla-central/rev/ca0017c90ad0
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Depends on: 1317857
Depends on: 1333053
You need to log in before you can comment on or make changes to this bug.