From 56e481f19ed4d2ed374a6fb6e24a66637eb07b3c Mon Sep 17 00:00:00 2001 From: Dave Garrett Date: Tue, 7 Jul 2015 11:04:32 -0400 Subject: [PATCH] drop SHA1 signatures & note DSA as NOT RECOMMENDED The new default hash for the extensionless case is now SHA-256. --- draft-ietf-tls-tls13.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/draft-ietf-tls-tls13.md b/draft-ietf-tls-tls13.md index f5200e341..53cb3524d 100644 --- a/draft-ietf-tls-tls13.md +++ b/draft-ietf-tls-tls13.md @@ -323,7 +323,7 @@ draft-07 - Remove support for weak and lesser used named curves. -- Remove support for MD5 and SHA-224 hashes with signatures. +- Remove support for MD5, SHA-1, and SHA-224 hashes with signatures. draft-06 @@ -2093,9 +2093,7 @@ which signature/hash algorithm pairs may be used in digital signatures. The %%% Signature Algorithm Extension enum { none(0), - md5_RESERVED(1), - sha1(2), - sha224_RESERVED(3), + md5_RESERVED(1), sha1_RESERVED(2), sha224_RESERVED(3), sha256(4), sha384(5), sha512(6), (255) } HashAlgorithm; @@ -2125,9 +2123,9 @@ hash SHA-224, SHA-256, SHA-384, and SHA-512 {{SHS}}, respectively. The "none" value is provided for future extensibility, in case of a signature algorithm which does not require hashing before signing. - The usage of MD5 and SHA-224 are deprecated. The md5_RESERVED and - sha224_RESERVED values MUST NOT be offered or negotiated by any - implementation. + The usage of MD5, SHA-1, and SHA-224 are deprecated. The md5_RESERVED, + sha1_RESERVED, and sha224_RESERVED values MUST NOT be offered or + negotiated by any implementation. signature : This field indicates the signature algorithm that may be used. @@ -2135,8 +2133,13 @@ signature {{RFC3447}} and DSA {{DSS}}, and ECDSA {{ECDSA}}, respectively. The "anonymous" value is meaningless in this context but used in {{server-key-share}}. It MUST NOT appear in this extension. + DSA is considered obsolete and its usage is currently NOT RECOMMENDED. {:br } +If an endpoint receives a "signature_algorithms" extension with a deprecated +value, it MUST respond with an "insufficient_security" alert and close the +connection. + The semantics of this extension are somewhat complicated because the cipher suite indicates permissible signature algorithms but not hash algorithms. {{server-certificate}} and {{server-key-share}} describe the @@ -2153,16 +2156,16 @@ If the client does not send the "signature_algorithms" extension, the server MUS do the following: - If the negotiated key exchange algorithm is one of (DHE_RSA, ECDHE_RSA), - behave as if client had sent the value {sha1,rsa}. + behave as if client had sent the value {sha256,rsa}. - If the negotiated key exchange algorithm is DHE_DSS, - behave as if the client had sent the value {sha1,dsa}. + behave as if the client had sent the value {sha256,dsa}. - If the negotiated key exchange algorithm is ECDHE_ECDSA, - behave as if the client had sent value {sha1,ecdsa}. + behave as if the client had sent value {sha256,ecdsa}. Note: This extension is not meaningful for TLS versions prior to 1.2. Clients -MUST NOT offer it if they are offering prior versions. However, even if clients +SHOULD NOT offer it if they are offering prior versions. However, even if clients do offer it, the rules specified in {{RFC6066}} require servers to ignore extensions they do not understand.