Bug 1238369

Summary: NSS does not support all signature methods for Certificate Verify [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: emaldona, kengert, mpoole, nmavrogi, omoris, pvrabec, rrelyea, szidek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.21.0-14.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1269239 (view as bug list) Environment:
Last Closed: 2016-11-04 03:55:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1218420, 1269239, 1295396, 1309228    

Description Alicja Kario 2015-07-01 17:55:35 UTC 
Description of problem:
NSS client can sign Certificate Verify only using SHA256 (the PRF used in ciphersuite) or SHA-1. NSS server requests signature on Certificate Verify only using SHA256 (the PRF used). This makes servers unable to interoperate with clients that can sign only using SHA-1. 

Version-Release number of selected component (if applicable):
nss-3.19.1-5.el7_1

How reproducible:
Always

Steps to Reproduce:
1. Use NSS as client or server in connections that require certificates in TLSv1.2

Actual results:
Certificate Verify always is signed using SHA-256 by NSS client
Certificate Request always asks just for RSA+SHA256, DSA+SHA256 or ECDSA+SHA256

Expected results:
most hashes listed as acceptable by server, especially DSA+SHA1 or RSA+SHA1

Additional info:
Comment 3 Alicja Kario 2015-08-12 13:42:35 UTC 
This feature is necessary for interoperability between GnuTLS and NSS with TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 ciphersuite and DSA client certificates in TLSv1.2.
Comment 4 Alicja Kario 2015-09-15 17:25:33 UTC 
This issue breaks communication with Microsoft Internet Explorer clients that have certificates signed with algorithms different than SHA-256.

Since the server asks only for SHA256 signatures, the client refuses to provide its certificate and aborts the connection.

This is the expected behaviour according to https://tools.ietf.org/html/rfc5246#section-7.4.4
Comment 5 Elio Maldonado Batiz 2016-01-18 15:16:26 UTC 
This is one where we need to allow verification even when the digest doesn't match what was  used for the PRF. There is a similar bug for RHEL 6.8 and it should be included.
Comment 22 errata-xmlrpc 2016-11-04 03:55:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2335.html