Re: no suitable signature algorithm during handshake failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 08, 2021 at 12:05:26PM -0800, Quanah Gibson-Mount wrote:

> >     https://www.spinics.net/lists/openssl-users/msg05623.html
> 
> Thanks Viktor.  Mainly, I wasn't sure what specific information would be 
> necessary.  Here's what wireshark shows (IP addresses obfuscated):

It would be really helpful (also to you) if you install a more
up-to-date version of tshark, or copy the pcap file to a machine
that already has one.  The version used below fails to understand
many relevant modern TLS extensions/features.

See annotations added:

> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.2 (0x0303)
>         Length: 423
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 419
>             Version: TLS 1.2 (0x0303)
>             Random
>                 GMT Unix Time: Oct  2, 2014 19:22:16.000000000 MDT
>                 Random Bytes: 3226c3627d2ba7c967ce2cf097e616d9cbe45d1bb1cc21f4...
>             Session ID Length: 32
>             Session ID: bde8c16349a08e56a121b6e7aa1f317acf42186ba79b134d...
>             Cipher Suites Length: 88
>             Cipher Suites (44 suites)
> -->             Cipher Suite: Unknown (0x1301)        -- i.e. TLS_AES_128_GCM_SHA256
> -->             Cipher Suite: Unknown (0x1302)        -- i.e. TLS_AES_256_GCM_SHA384
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
>                 Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
>                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
>             Compression Methods Length: 1
>             Compression Methods (1 method)
>             Extensions Length: 258
>             Extension: server_name
>                 Type: server_name (0x0000)
>                 Length: 35
>                 Server Name Indication extension
>                     Server Name list length: 33
>                     Server Name Type: host_name (0)
>                     Server Name length: 30
>                     Server Name: directory.srv.TEST.ualberta.ca
>             Extension: status_request
>                 Type: status_request (0x0005)
>                 Length: 5
>                 Certificate Status Type: OCSP (1)
>                 Responder ID list Length: 0
>                 Request Extensions Length: 0
>             Extension: elliptic_curves
>                 Type: elliptic_curves (0x000a)
>                 Length: 32
>                 Elliptic Curves Length: 30
>                 Elliptic curves (15 curves)
>             Extension: ec_point_formats
>                 Type: ec_point_formats (0x000b)
>                 Length: 2
>                 EC point formats Length: 1
>                 Elliptic curves point formats (1)
>             Extension: signature_algorithms
>                 Type: signature_algorithms (0x000d)
>                 Length: 22
>                 Signature Hash Algorithms Length: 20
>                 Signature Hash Algorithms (10 algorithms)
>                     Signature Hash Algorithm: 0x0403
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Hash Algorithm: 0x0503
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Hash Algorithm: 0x0603
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Hash Algorithm: 0x0401
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Hash Algorithm: 0x0501
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Hash Algorithm: 0x0601
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Hash Algorithm: 0x0402
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Hash Algorithm: 0x0203
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Hash Algorithm: 0x0201
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Hash Algorithm: 0x0202
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>             Extension: Unknown 50
>                 Type: Unknown (0x0032)
>                 Length: 22
>                 Data (22 bytes)
>             Extension: status_request_v2
>                 Type: status_request_v2 (0x0011)
>                 Length: 9
>                 Certificate Status Type: OCSP Multi (2)
>                 Certificate Status Length: 4
>                 Responder ID list Length: 0
>                 Request Extensions Length: 0
>             Extension: Extended Master Secret
>                 Type: Extended Master Secret (0x0017)
>                 Length: 0
> ! --->      Extension: Unknown 43         -- i.e. supported_versions!
>                 Type: Unknown (0x002b)    -- Almost certainly w/ TLS 1.3
>                 Length: 9
>                 Data (9 bytes)
> ! --->      Extension: Unknown 45         -- psk_key_exchange_modes
>                 Type: Unknown (0x002d)    -- a TLS 1.3 feature
>                 Length: 2
>                 Data (2 bytes)
> ! --->      Extension: Unknown 51         -- key_share
>                 Type: Unknown (0x0033)    -- a TLS 1.3 feature
>                 Length: 71
>                 Data (71 bytes)
>             Extension: renegotiation_info
>                 Type: renegotiation_info (0xff01)
>                 Length: 1
>                 Renegotiation Info extension
>                     Renegotiation info extension length: 0

The client almost certainly offered TLS 1.3 (via supported_versions),
but failed to offer a TLS 1.3-compatible RSA signature algorithm.

    https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme

Among the signature algorithms offered by the client:

>                     Signature Hash Algorithm: 0x02,01 -- rsa_pkcs1_sha1
>                     Signature Hash Algorithm: 0x04,01 -- rsa_pkcs1_sha256
>                     Signature Hash Algorithm: 0x05,01 -- rsa_pkcs1_sha384
>                     Signature Hash Algorithm: 0x06,01 -- rsa_pkcs1_sha512
>                     Signature Hash Algorithm: 0x02,02 -- dsa_sha1
>                     Signature Hash Algorithm: 0x04,02 -- dsa_sha256
>                     Signature Hash Algorithm: 0x02,03 -- ecdsa_sha1
>                     Signature Hash Algorithm: 0x04,03 -- ecdsa_secp256r1_sha256
>                     Signature Hash Algorithm: 0x05,03 -- ecdsa_secp256r1_sha384
>                     Signature Hash Algorithm: 0x06,03 -- ecdsa_secp256r1_sha512

None were PSS, and RFC 8446 says:

   In addition, the signature algorithm MUST be compatible with the key
   in the sender's end-entity certificate.  RSA signatures MUST use an
   RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5
   algorithms appear in "signature_algorithms".  The SHA-1 algorithm
   MUST NOT be used in any signatures of CertificateVerify messages.

> > What sort of certificate does the server have.  Are there any ssl module
> > settings in its openssl.cnf file?
> 
> no module settings for openssl.cnf.
> 
> For the server with the non-working cert, this is the x509 text output:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             ---
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
>         Validity
>             Not Before: Mar 26 17:49:45 2020 GMT
>             Not After : Apr 30 21:21:03 2022 GMT
>         Subject: C=CA, ST=Alberta, L=---
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption

The certificate does not require PSS, but TLS 1.3 does.

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux