On Fri, Jan 08, 2021 at 12:05:26PM -0800, Quanah Gibson-Mount wrote: > > https://www.spinics.net/lists/openssl-users/msg05623.html > > Thanks Viktor. Mainly, I wasn't sure what specific information would be > necessary. Here's what wireshark shows (IP addresses obfuscated): It would be really helpful (also to you) if you install a more up-to-date version of tshark, or copy the pcap file to a machine that already has one. The version used below fails to understand many relevant modern TLS extensions/features. See annotations added: > Secure Sockets Layer > TLSv1.2 Record Layer: Handshake Protocol: Client Hello > Content Type: Handshake (22) > Version: TLS 1.2 (0x0303) > Length: 423 > Handshake Protocol: Client Hello > Handshake Type: Client Hello (1) > Length: 419 > Version: TLS 1.2 (0x0303) > Random > GMT Unix Time: Oct 2, 2014 19:22:16.000000000 MDT > Random Bytes: 3226c3627d2ba7c967ce2cf097e616d9cbe45d1bb1cc21f4... > Session ID Length: 32 > Session ID: bde8c16349a08e56a121b6e7aa1f317acf42186ba79b134d... > Cipher Suites Length: 88 > Cipher Suites (44 suites) > --> Cipher Suite: Unknown (0x1301) -- i.e. TLS_AES_128_GCM_SHA256 > --> Cipher Suite: Unknown (0x1302) -- i.e. TLS_AES_256_GCM_SHA384 > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) > Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) > Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) > Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) > Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) > Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) > Compression Methods Length: 1 > Compression Methods (1 method) > Extensions Length: 258 > Extension: server_name > Type: server_name (0x0000) > Length: 35 > Server Name Indication extension > Server Name list length: 33 > Server Name Type: host_name (0) > Server Name length: 30 > Server Name: directory.srv.TEST.ualberta.ca > Extension: status_request > Type: status_request (0x0005) > Length: 5 > Certificate Status Type: OCSP (1) > Responder ID list Length: 0 > Request Extensions Length: 0 > Extension: elliptic_curves > Type: elliptic_curves (0x000a) > Length: 32 > Elliptic Curves Length: 30 > Elliptic curves (15 curves) > Extension: ec_point_formats > Type: ec_point_formats (0x000b) > Length: 2 > EC point formats Length: 1 > Elliptic curves point formats (1) > Extension: signature_algorithms > Type: signature_algorithms (0x000d) > Length: 22 > Signature Hash Algorithms Length: 20 > Signature Hash Algorithms (10 algorithms) > Signature Hash Algorithm: 0x0403 > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Hash Algorithm: 0x0503 > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Hash Algorithm: 0x0603 > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Hash Algorithm: 0x0401 > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: RSA (1) > Signature Hash Algorithm: 0x0501 > Signature Hash Algorithm Hash: SHA384 (5) > Signature Hash Algorithm Signature: RSA (1) > Signature Hash Algorithm: 0x0601 > Signature Hash Algorithm Hash: SHA512 (6) > Signature Hash Algorithm Signature: RSA (1) > Signature Hash Algorithm: 0x0402 > Signature Hash Algorithm Hash: SHA256 (4) > Signature Hash Algorithm Signature: DSA (2) > Signature Hash Algorithm: 0x0203 > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: ECDSA (3) > Signature Hash Algorithm: 0x0201 > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: RSA (1) > Signature Hash Algorithm: 0x0202 > Signature Hash Algorithm Hash: SHA1 (2) > Signature Hash Algorithm Signature: DSA (2) > Extension: Unknown 50 > Type: Unknown (0x0032) > Length: 22 > Data (22 bytes) > Extension: status_request_v2 > Type: status_request_v2 (0x0011) > Length: 9 > Certificate Status Type: OCSP Multi (2) > Certificate Status Length: 4 > Responder ID list Length: 0 > Request Extensions Length: 0 > Extension: Extended Master Secret > Type: Extended Master Secret (0x0017) > Length: 0 > ! ---> Extension: Unknown 43 -- i.e. supported_versions! > Type: Unknown (0x002b) -- Almost certainly w/ TLS 1.3 > Length: 9 > Data (9 bytes) > ! ---> Extension: Unknown 45 -- psk_key_exchange_modes > Type: Unknown (0x002d) -- a TLS 1.3 feature > Length: 2 > Data (2 bytes) > ! ---> Extension: Unknown 51 -- key_share > Type: Unknown (0x0033) -- a TLS 1.3 feature > Length: 71 > Data (71 bytes) > Extension: renegotiation_info > Type: renegotiation_info (0xff01) > Length: 1 > Renegotiation Info extension > Renegotiation info extension length: 0 The client almost certainly offered TLS 1.3 (via supported_versions), but failed to offer a TLS 1.3-compatible RSA signature algorithm. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme Among the signature algorithms offered by the client: > Signature Hash Algorithm: 0x02,01 -- rsa_pkcs1_sha1 > Signature Hash Algorithm: 0x04,01 -- rsa_pkcs1_sha256 > Signature Hash Algorithm: 0x05,01 -- rsa_pkcs1_sha384 > Signature Hash Algorithm: 0x06,01 -- rsa_pkcs1_sha512 > Signature Hash Algorithm: 0x02,02 -- dsa_sha1 > Signature Hash Algorithm: 0x04,02 -- dsa_sha256 > Signature Hash Algorithm: 0x02,03 -- ecdsa_sha1 > Signature Hash Algorithm: 0x04,03 -- ecdsa_secp256r1_sha256 > Signature Hash Algorithm: 0x05,03 -- ecdsa_secp256r1_sha384 > Signature Hash Algorithm: 0x06,03 -- ecdsa_secp256r1_sha512 None were PSS, and RFC 8446 says: In addition, the signature algorithm MUST be compatible with the key in the sender's end-entity certificate. RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5 algorithms appear in "signature_algorithms". The SHA-1 algorithm MUST NOT be used in any signatures of CertificateVerify messages. > > What sort of certificate does the server have. Are there any ssl module > > settings in its openssl.cnf file? > > no module settings for openssl.cnf. > > For the server with the non-working cert, this is the x509 text output: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > --- > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 > Validity > Not Before: Mar 26 17:49:45 2020 GMT > Not After : Apr 30 21:21:03 2022 GMT > Subject: C=CA, ST=Alberta, L=--- > Subject Public Key Info: > Public Key Algorithm: rsaEncryption The certificate does not require PSS, but TLS 1.3 does. -- Viktor.
