Closed
Bug 1335069
Opened 7 years ago
Closed 7 years ago
BoGo test ClientAuth-SHA1-Fallback-ECDSA fails
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.30
People
(Reporter: ttaubert, Assigned: ttaubert)
References
Details
Working on ECDSA key import, I noticed that ClientAuth-SHA1-Fallback-ECDSA fails. It expects us to fall back to ECDSA/SHA-1 when the server sends an empty `supported_signature_algorithms` field in the CertificateRequest message. That seems like an appropriate thing to do, the 1.2 spec seems a little ambiguous [1] about whether this field is required to be non-empty. [1] https://tools.ietf.org/html/rfc5246#section-7.4.4
|
Assignee | |
Comment 1•7 years ago
|
||
https://nss-review.dev.mozaws.net/D184
|
|
Assignee | |
Comment 2•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/c61324648525
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.30
|
|
Assignee | |
Comment 3•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/650e5f6cb617
|
||
Comment 4•7 years ago
|
||
Tim, this commit resulted in a regression report, see bug 1412829. Could you please comment in that bug? It's being argued that the fallback on an empty list is incorrect behavior, and rather the certificate request should fail. Thanks.
Blocks: 1412829
|
|
Assignee | |
Comment 5•7 years ago
|
||
I'm not sure what you expect me to add to the discussion in bug 1412829. It's very clear that we shouldn't accept an empty list of sig_algs. Not clear is how exactly to handle that. I'm not going to reiterate what Ekr already said, he knows the spec best.
|
|
||
Comment 6•7 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #5) > I'm not sure what you expect me to add to the discussion in bug 1412829. > It's very clear that we shouldn't accept an empty list of sig_algs. Not > clear is how exactly to handle that. I'm not going to reiterate what Ekr > already said, he knows the spec best. Tim, I'd like to point you to bug 1412829 comment 3. EKR said: (In reply to Eric Rescorla (:ekr) from comment #3) > I agree with Hubert that this behavior is wrong: if the server provides an > empty list, the client should not supply something not on the list. I'm > actually surprised to see this because IIRC I noted this bug on a previous > CL, though I'm too lazy to go back and try to find it. > > I disagree with Hubert that the client needs to send decode_error. I think > it would also be acceptable to simply act as if no common algorithm exists. > The specification never says that every decoding failure needs to elicit an > alert. I conclude that the existing code is incorrect, and should be changed to NOT fall back to SHA-1. I understand EKR's recommendation as: If no common algorithms exists, you shouldn't do client authentication with SHA-1, you should not authenticate at all.
Flags: needinfo?(ttaubert)
|
|
||
Comment 7•7 years ago
|
||
I've asked EKR in bug 1412829 to confirm my understanding. I suggest we continue the discussion in bug 1412829, I only commented here for reference purposes.
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(ttaubert)
You need to log in
before you can comment on or make changes to this bug.
Description
•