Bug 1277611 - nss 3.19-1 is unable to connect to SSL servers using a public key starting with more than two leading 0 bits
nss 3.19-1 is unable to connect to SSL servers using a public key starting wi...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss (Show other bugs)
All All
medium Severity high
: rc
: ---
Assigned To: nss-nspr-maint
Hubert Kario
Depends On:
Blocks: 1203710 1295396 1296594 1313485
  Show dependency treegraph
Reported: 2015-11-03 11:20 EST by Felix Dewaleyne
Modified: 2016-11-03 23:56 EDT (History)
9 users (show)

See Also:
Fixed In Version: nss-3.21.0-5.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 23:56:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Calculate DSA and DH key sizes based on prime, not public key (896 bytes, patch)
2016-02-16 13:13 EST, Elio Maldonado Batiz
rrelyea: review+
Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 1211403 None None None 2016-01-22 11:13 EST

  None (edit)
Description Felix Dewaleyne 2015-11-03 11:20:50 EST
Description of problem:
When connecting to a server using a public key starting with more than 2 leading bits set to 0, with NSS 3.19-1 this results in a security warning. This wasn't the case with NSS 3.18

Version-Release number of selected component (if applicable):
nss 3.19-1

How reproducible:
all the time 

Steps to Reproduce:
1. get server using a certificate affected
2. issue a curl connection to it

Actual results:
Client sends a TLS alert reporting a "insufficient_security"

Expected results:
normal connection, as of nss 3.18

Additional info:
see https://bugzilla.mozilla.org/show_bug.cgi?id=1211403

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes shows that DSS/DSA with 1024 should work. it also states that "NSS reports the bit length of keys more accurately.  Thus, the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have leading zero values. This affects the key strength values that are reported by SSL_GetChannelInfo. ".  

customer info :
You need a server presented such a public key:
- We used 4 Tomcat servers
- use openssl to check server's public key contents
echo | openssl s_client -connect myserver:myport 2>/dev/null | openssl x509 -text -noout
- check the first bytes of the public key showed
- one of our 4 servers had a public starting with 0x11
Comment 6 Elio Maldonado Batiz 2016-01-18 10:19:08 EST
Backport to 3.21, given that are likely to rebase, the upstream fix at 
https://bug1211403.bmoattachments.org/attachment.cgi?id=8695104 which was for https://bugzilla.mozilla.org/show_bug.cgi?id=1211403 and is targeted for the upstream nss-3.22 release. It should should be included.
Comment 7 Nikos Mavrogiannopoulos 2016-01-22 11:12:50 EST
This issue can be solved using a rebase to nss-3.22.
Comment 11 Elio Maldonado Batiz 2016-02-16 13:13 EST
Created attachment 1127664 [details]
Calculate DSA and DH key sizes based on prime, not public key

Backport to nss-3.21 of https://hg.mozilla.org/projects/nss/rev/075e80f679d1
Comment 12 Bob Relyea 2016-02-16 20:14:33 EST
Comment on attachment 1127664 [details]
Calculate DSA and DH key sizes based on prime, not public key

r+ rrelyea

This is also more correct. A small public key is just as secure as any other public key as long as the private key is long enough (g is 2 and the public key is 8, then it's pretty obvious the private key is 3, which is too short).
Comment 20 errata-xmlrpc 2016-11-03 23:56:11 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.