New issue
Advanced search Search tips

Issue 795089 link

Starred by 2 users
Status: Assigned
Owner:
davidben@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-06-25
OS: ----
Pri: 3
Type: Bug

Blocked on:
issue 347402


Sign in to add a comment

X.509 key usage extensions aren't enforced for RSA in TLS <= 1.2

Project Member Reported by davidben@chromium.org, Dec 14 2017 
For historical reasons, we don't enforce the cipher-specific key usage bit for RSA keys in TLS 1.2 and below.

Contrary to some proposals, enforcing the key usage does *not* solve the Bleichenbacher attack. Any client which still supports the deprecated static RSA mode (including ourselves, alas) talking to a server vulnerable to it could be attacked just by selecting one of those ciphers.

Nonetheless, this is a good thing to enforce, to keep the ecosystem honest and perhaps in preparation for future when this isn't completely useless.

We enforce it for ECDSA at all versions and RSA starting TLS 1.3, but RSA in TLS 1.2 will require metrics to see what the breakage is. E.g., an antivirus MITM which copies key usage bits on a digitalSignature-only key but switches from ECDHE_RSA to static RSA will break.
Project Member

Comment 1 by bugdroid1@chromium.org, Dec 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f8ebd2b9953dc4298336e518b8faa85ed3c94b66

commit f8ebd2b9953dc4298336e518b8faa85ed3c94b66
Author: David Benjamin <davidben@chromium.org>
Date: Fri Dec 15 19:22:41 2017

Gather metrics on RSA key usage bits.

Bug: 795089
Change-Id: I7772621479504e5797c579f6d45315f836d5bceb
Reviewed-on: https://chromium-review.googlesource.com/827809
Reviewed-by: Steven Holte <holte@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#524429}
[modify] https://crrev.com/f8ebd2b9953dc4298336e518b8faa85ed3c94b66/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/f8ebd2b9953dc4298336e518b8faa85ed3c94b66/tools/metrics/histograms/enums.xml
[modify] https://crrev.com/f8ebd2b9953dc4298336e518b8faa85ed3c94b66/tools/metrics/histograms/histograms.xml

Comment 2 by davidben@chromium.org, Dec 15 2017

NextAction: 2018-01-15
Metrics are in. Will check back again mid January to get an initial read on the situation. Though this would mostly be about whether we need to tweak the metrics. I don't think I'd trust data here that wasn't on stable.

Comment 3 by monor...@bugs.chromium.org, Jan 15 2018 

The NextAction date has arrived: 2018-01-15

Comment 4 by davidben@chromium.org, Jan 23 2018 

Early metrics suggest that enforcing this for known roots should be feasible. Unknown roots might also, but there's some indication that things will break. We'll follow the metrics as they get to beta and stable and see how they look.

Comment 5 by rsleevi@chromium.org, Jun 20 2018

NextAction: 2018-06-25

Comment 6 by monor...@bugs.chromium.org, Jun 25 2018 

The NextAction date has arrived: 2018-06-25

Comment 7 by davidben@chromium.org, Jun 25 2018

Blockedon: 347402
Stable is consistent with comment #4. Enforcing it for known roots is solid. Enforcing for unknown roots should also be doable, but we probably should go through some temporary admin policy to be thorough.

I'll block this on  issue #347402 , so we can more sanely condition it on the known root bit.

Sign in to add a comment