[BoringSSL server] ECDSA suites impossible without the ec_point_formats extension
Reported by
schnab...@inurbanus.nl,
May 19 2016
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/49.0.2623.108 Chrome/49.0.2623.108 Safari/537.36 Steps to reproduce the problem: I've come across a mildly interesting corner case in BoringSSL w.r.t. the ec_point_formats extension. If you send a ClientHello that includes ECDSA cipher suites but does not have an ec_point_formats extension, a BoringSSL server will not pick an ECDSA cipher suite. I know that per RFC 4492 I SHOULD send the extension, but it's not a strict requirement. Falling back to RSA-authenticated connections is a sensible choice. However, when the ClientHello *just* contains ECDSA cipher suites (and still no ec_point_formats), I'm met with a no_cipher_overlap error. I have some proof-of-concept code at https://github.com/thijzert/sslprobe, specifically the "theres-no-point" branch. This behaviour may be triggered by observing the difference in output between these commands: go run bin/sslprobe/sslprobe.go -tls12 google.com and go run bin/sslprobe/sslprobe.go -tls12 -theres_no_point google.com This script tries to map out a server's cipher preference by sending repeatedly smaller ClientHellos, so when all supported aRSA suites have been tried the next request contains just ECDSA suites (as well as an enormous collection of ancient crypto). On other server implementations, the supported ciphers list seems to trump ec_point_formats: go run bin/sslprobe/sslprobe.go -tls12 facebook.com and go run bin/sslprobe/sslprobe.go -tls12 -theres_no_point facebook.com What is the expected behavior? OpenSSL seems to act as if I'd simply sent a list containing "uncompressed" and nothing else, which seems like sensible default behaviour. Furthermore, in TLS1.3 the point format will be implied from the curve used, which also seems an acceptable choice when falling back to earlier versions. What went wrong? The TLS handshake does not complete. Did this work before? N/A Chrome version: Channel: n/a OS Version: Flash Version: Neither option is more correct; the specification is not specific, and this is about as contrived a use case as I could imagine.
,
May 23 2016
,
May 24 2016
BoringSSL doesn't pay any attention ec_point_format extension at all, except to enforce that you include uncompressed, as the spec mandates. See https://boringssl.googlesource.com/boringssl/+/fc05994e24793aa8121f71e1658cba1ecfd3dd57 I think you are instead seeing is some logic on our servers for picking ECDSA vs RSA which wants the point format extension. I agree with you that it should be fine picking ECDSA when the extension is missing. (I'll go ahead and close this as it's nothing to do with BoringSSL and follow up internally.)
,
May 26 2016
Google's serving infrastructure will stop requiring ec_point_formats for ECDSA unless something unexpected comes up. Since there's no rush for this, it'll roll out over the course of about a month.
,
May 26 2016
Sweet, thanks! |
|||
►
Sign in to add a comment |
|||
Comment 1 by brajkumar@chromium.org
, May 20 2016