Closed Bug 1566131 Opened 2 years ago Closed 2 years ago

policy does not disable SHA-1 fallback in TLS 1.2

Categories

(NSS :: Libraries, defect, P1)

3.44
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hkario, Unassigned)

Details

Attachments

(1 file)

When the policy file is used to disable SHA-1 signatures (by disabling all and enabling SHA-256, SHA-384 and SHA-512), the fallback to SHA-1 in case the client does not advertise signature_algorithms extension is still working – the connection is not aborted.

Reproducer:

  1. configure NSS policy to exclude SHA1
  2. run tlsfuzzer test-ecdhe-rsa-key-share-random.py against server

Results:
test case is successful

Expected behaviour:
connections aborted with handshake_failure alert because the signature_algorithms extension is missing forcing use of SHA-1

Hubert, needinfo me if you aren't taking this one on. Thanks!

Assignee: nobody → hkario
Status: NEW → ASSIGNED
Priority: -- → P1

sorry, I'm still reviewing our internal regression tests so won't have time to work on it in the next few weeks

Flags: needinfo?(jjones)
Assignee: hkario → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(jjones)
Target Milestone: --- → 3.46

This adds necessary policy checks in ssl3_ComputeCommonKeyHash(), right before calculating hashes. Note that it currently doesn't check MD5 as it still needs to be allowed in TLS 1.1 or earlier and many tests fail if we change that.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ueno, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dueno)

Pushed as:
https://hg.mozilla.org/projects/nss/rev/c08947c6af57

Thanks for the review!

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(dueno)
Resolution: --- → FIXED
Target Milestone: 3.46 → 3.48
You need to log in before you can comment on or make changes to this bug.