Bug 1685470 - OpenSSL should query the PKCS#11 token for supported mechanisms before using RSA-PSS in TLS 1.2
Summary: OpenSSL should query the PKCS#11 token for supported mechanisms before using ...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl
Version: 8.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
Mirek Jahoda
URL:
Whiteboard:
Depends On: 1701233
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-05 10:05 UTC by Jakub Jelen
Modified: 2019-08-22 13:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.`OpenSSL` incorrectly handles PKCS #11 tokens that does not support raw RSA or RSA-PSS signatures The `OpenSSL` library does not detect key-related capabilities of PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created with a token that does not support raw RSA or RSA-PSS signatures. To work around the problem, add the following lines after the `.include` line at the end of the `crypto_policy` section in the `/etc/pki/tls/openssl.cnf` file: ---- SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384 MaxProtocol = TLSv1.2 ---- As a result, a TLS connection can be established in the described scenario.
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Jakub Jelen 2019-03-05 10:05:53 UTC
Description of problem:
Both nginx and httpd when configured with keys from openssl-pkcs11 engine fail to provide signatures if the token does not support RSA-PSS or RSA-RAW, because they do not query the key capabilities.

Version-Release number of selected component (if applicable):
openssl-1.1.1-8.el8.x86_64
package openssl-engine is not installed
httpd-2.4.37-7.module+el8+2443+605475b7.x86_64
nginx-1.14.1-8.module+el8+2505+fe936cef.x86_64
wget-1.19.5-7.el8.x86_64
gnutls-3.6.5-2.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Configure httpd/nginx to use private key from openssl-pkcs11 engine (including a adjustment of polkit policy)
2. Connect from a client offering only TLS 1.2
wget --no-check-certificate --tries 1 https://localhost/  --cipher="NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"

Actual results (client):
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [80]: Internal error
Unable to establish SSL connection.
(Server logs follow)

Expected results:
The connection should be established using some different key signature algorithm. The configuration can be verified by connecting with the client supporting only RSA-PKCS1, which connects fine:

wget --no-check-certificate --tries 1 https://localhost/  --cipher="NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-SHA1"

Additional info:
nginx error logs:
2019/03/04 18:37:33 [crit] 2538#0: *1 SSL_do_handshake() failed (SSL: error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism invalid error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error) while SSL handshaking, client: ::1, server: [::]:443

httpd error logs:
ssl_engine_kernel.c(2210): [client ::1:49418] OpenSSL: Write: error
ssl_engine_kernel.c(2229): [client ::1:49418] OpenSSL: Exit: error in error
[client ::1:49418] AH02008: SSL library error 1 in handshake (server localhost:443)
SSL Library Error: error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism invalid
SSL Library Error: error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error

Comment 3 Tomas Mraz 2019-05-03 12:53:22 UTC
The text is fine.

The workaround is to add the two following lines
to the end of the [ crypto_policy ] section (after the .include line) in the /etc/pki/tls/openssl.cnf containing:

SignatureAlgorithms = RSA, ECDSA
MaxProtocol = TLSv1.2

Comment 5 Tomas Mraz 2019-05-03 14:38:35 UTC
OK I had the workaround wrong, it is:

The workaround is to add the two following lines
to the end of the [ crypto_policy ] section (after the .include line) in the /etc/pki/tls/openssl.cnf containing:

SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
MaxProtocol = TLSv1.2

Comment 6 Tomas Mraz 2019-05-03 14:39:41 UTC
Thanks, Jakub, for testing it.


Note You need to log in before you can comment on or make changes to this bug.