Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1410573 - RFC violation in handling signature algorithms extensions (fix by rebase to 3.28.x)
Summary: RFC violation in handling signature algorithms extensions (fix by rebase to 3...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Hubert Kario
Depends On:
Blocks: 1508595 1566466 1644878
TreeView+ depends on / blocked
Reported: 2017-01-05 18:53 UTC by Hubert Kario
Modified: 2018-10-31 19:20 UTC (History)
2 users (show)

Fixed In Version: nss-3.28.3-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1508595 (view as bug list)
Last Closed: 2017-08-01 16:50:07 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1411238 0 medium CLOSED openssl switches to (SHA1, RSA) if no usable signature algorithm is specified 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:1977 0 normal SHIPPED_LIVE nss bug fix and enhancement update 2017-08-01 17:57:47 UTC

Internal Links: 1411238

Description Hubert Kario 2017-01-05 18:53:05 UTC
Description of problem:
When Client Hello received by server does not include algorithms known to server, the server signs Server Key Exchange with a sha1+rsa signature algorithm.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Send Client Hello with invalid values in signature_algorithms extension

Actual results:
Server replies with a SKE message signed with SHA-1

Expected results:
handshake_failure alert message

Additional info:
This is RFC 5246 violation:

   If the client does not support the default algorithms (...),
   it MUST send the
   signature_algorithms extension, listing the algorithms it is willing
   to accept.

("default algorithms" refers to sha1+rsa, sha1+dsa and sha1+ecdsa pairs)

   If the client has offered the "signature_algorithms" extension, the
   signature algorithm and hash algorithm MUST be a pair listed in that
   extension.  Note that there is a possibility for inconsistencies
   here.  For instance, the client might offer DHE_DSS key exchange but
   omit any DSA pairs from its "signature_algorithms" extension.  In
   order to negotiate correctly, the server MUST check any candidate
   cipher suites against the "signature_algorithms" extension before
   selecting them.  This is somewhat inelegant but is a compromise
   designed to minimize changes to the original cipher suite design.

Comment 2 Kai Engert (:kaie) (inactive account) 2017-01-11 14:19:31 UTC
Hubert, can this bug be fixed by upgrading to NSS 3.28 ?

Comment 3 Hubert Kario 2017-01-12 11:48:40 UTC
Yes, I've verified that 3.28.0 does fix this issue.

Comment 4 Kai Engert (:kaie) (inactive account) 2017-01-12 12:54:27 UTC
We plan to upgrade both 7.4.0 and 7.3.z to NSS 3.28.x by March, so this will be done by our rebase.

Comment 5 Kai Engert (:kaie) (inactive account) 2017-02-24 14:13:02 UTC
Hubert, can you help with qa-ack, if you want to track this for 7.4.0 ?

Comment 8 errata-xmlrpc 2017-08-01 16:50:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.