New issue
Advanced search Search tips

Issue 863147 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 18
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Align SSLPrivateKey hash preferences with BoringSSL

Project Member Reported by davidben@chromium.org, Jul 12

Issue description

SSLPrivateKey currently prefers SHA-512 > SHA-384 > SHA-256 > SHA-1. We switched BoringSSL's defaults to SHA-256 > SHA-384 > SHA-512 > SHA-1 at some point.

I got a report from someone at Microsoft that TPM-backed keys on Windows have issues with Chrome's current behavior because they can only sign SHA-256. SHA-256 is unlikely to be less compatible with weird keys than SHA-512, and apparently Edge prefers to sign SHA-256 first. Let's align this.

https://chromium-review.googlesource.com/c/chromium/src/+/1135299
 
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8a1d878b99f25c6855099bef483e939264ba7b6f

commit 8a1d878b99f25c6855099bef483e939264ba7b6f
Author: David Benjamin <davidben@chromium.org>
Date: Wed Jul 18 02:47:28 2018

Reorder SSLPrivateKey hash preferences.

Prefer signing smaller SHA-2 hashes over larger ones. This aligns with
BoringSSL's current defaults. In particular, we got a report of problems
with TPM-protected client certificates on Windows that cannot sign
SHA-512. Absent a way to reliably query hash preferences, SHA-256 is
more likely to be compatible.

Bug:  863147 
Change-Id: Icaef85a2639ba3cc95846ff932bd829226e7aa7b
Reviewed-on: https://chromium-review.googlesource.com/1135299
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575915}
[modify] https://crrev.com/8a1d878b99f25c6855099bef483e939264ba7b6f/net/ssl/ssl_platform_key_win.cc
[modify] https://crrev.com/8a1d878b99f25c6855099bef483e939264ba7b6f/net/ssl/ssl_platform_key_win_unittest.cc
[modify] https://crrev.com/8a1d878b99f25c6855099bef483e939264ba7b6f/net/ssl/ssl_private_key.cc

Status: Fixed (was: Started)

Sign in to add a comment