Bug 1150033

Summary: OpenSSL selects weak digest for (EC)DH kex signing in TLSv1.2
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: fweimer, qe-baseos-security, sardella, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.0.1e-40.el7 Doc Type: Bug Fix
Doc Text:
No doc text needed
Story Points: ---
Clone Of: 1150032 Environment:
Last Closed: 2015-03-05 11:04:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1057566    

Description Alicja Kario 2014-10-07 09:53:25 UTC
Description of problem:
When connecting to a virtual, SNI defined host openssl selects SHA1 digest instead of SHA512, as it does for the default host.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-37.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -subj /CN=server -nodes -batch
3. openssl s_server -key localhost.key -cert localhost.crt -key2 server.key -cert2 server.crt -servername server

In other console, using OpenSSL 1.0.2:
1. openssl s_client -connect localhost:4433 </dev/null 2>/dev/null| grep 'Peer signing digest'
2. openssl s_client -connect localhost:4433 -servername server </dev/null 2>/dev/null| grep 'Peer signing digest'


Actual results:
1. Peer signing digest: SHA512
2. Peer signing digest: SHA1

Expected results:
1. Peer signing digest: SHA512
2. Peer signing digest: SHA512


Additional info:
The same issue is present when defining virtual hosts using mod_ssl in apache httpd.

Comment 1 Tomas Mraz 2014-10-07 16:27:38 UTC
The problem is that the second SSL context that is used when the server receives the servername extension does not have full copy of settings from the main context. Namely the tls1_process_sigalgs() is not properly called for it.

It is fairly nontrivial to fix this but I'll try to report it upstream.

Comment 2 Alicja Kario 2014-10-08 17:15:59 UTC
Reported upstream:
http://rt.openssl.org/Ticket/Display.html?id=3559&user=guest&pass=guest

Comment 4 Alicja Kario 2014-10-21 13:59:44 UTC
Second upstream bug:
https://rt.openssl.org/Ticket/Display.html?id=3560&user=guest&pass=guest

Comment 9 errata-xmlrpc 2015-03-05 11:04:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0478.html