For TLS 1.3 --ecdsa/--rsa makes no difference

[dilyanpalauzov]

With most-recent check_ssl_cert, compare the output of --rsa vs --ecdsa:

Calling ./check_ssl_cert --rsa -H anciens.org invokes /usr/local/bin/openssl s_client -crlf -connect anciens.org:443 -servername anciens.org -showcerts -verify 6 -cipher aRSA while calling ./check_ssl_cert --ecdsa -H anciens.org invokes /usr/local/bin/openssl s_client -crlf -connect anciens.org:443 -servername anciens.org -showcerts -verify 6 -cipher aECDSA

/usr/local/bin/openssl s_client -crlf -connect anciens.org:443 -servername anciens.org -showcerts -verify 6 -cipher aRSA prints:

Certificate chain
 0 s:CN = anciens.org
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
…
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

This is ECDSA connection and the certificate is also the EC one, once I compare the certificate on the disk with the certificate returned from s_client.

Compare to the invocation of /usr/local/bin/openssl s_client -crlf -connect anciens.org:443 -servername anciens.org -showcerts -verify 6 -cipher aECDSA:

-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgISAx0Og4j7FhqGRtNFJkXrmnL7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjExMDIxMzJaFw0x
…
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

So in both cases the connections above deliver the EC certificate over TLS 1.3. If I pass however an additionals -tls1_2, then the output of /usr/local/bin/openssl s_client -crlf -connect anciens.org:443 -servername anciens.org -showcerts -verify 6 -cipher aRSA -tls1_2 changes to:

-----BEGIN CERTIFICATE-----
MIIGcTCCBVmgAwIBAgISA2NjjmTT9iVMrPN9Qyrjjw1LMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjExMDIxMjhaFw0x
…
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

So with (implicit) TLS 1.3 chosen by s_client, -cipher aRSA does not select from the server the RSA certificate.

Looking at the cipher suites for TLS 1.3 in s_client 1.1.1, I do not see how can RSA or ECDSA be enforced, when the server and client support both. In particular, both openssl cipher aRSA and openssl cipher aECDSA print TLS_AES_256_GCM_SHA384.

https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ says “RSA encryption was removed from TLS 1.3”. This is OK, but I do want to make sure that the server:

• offers TLS 1.3 and TLS 1.2
• offers EC and RSA certificates (and for both of them OCSP must staple works)

So, if it cannot be achieved by other means, then either document on --help after --rsa, that it implies --no_tls1_3 (and create this option), or document by other means, that --rsa is not suitable to verify that the server delivers RSA certificate, while operating TSL 1.3.

[dilyanpalauzov]

For the record, if

/usr/local/bin/openssl s_client -status -tls1_2 -cipher aRSA -connect anciens.org:443

and

/usr/local/bin/openssl s_client -status -tls1_2 -cipher aECDSA -connect anciens.org:443

deliver OCSP validation, this does not mean, that

/usr/local/bin/openssl s_client -status -tls1_3 -connect anciens.org:443

delivers OCSP validation, at least with Nginx 1.6.1, https://trac.nginx.org/nginx/ticket/1867#ticket .

[dilyanpalauzov]

I do not think this will work, if the site offers only TLS 1.3 and only RSA certificate. As a matter of fact openssl s_client -connect mail.aegee.org:443 -status delivers RSA certificate, because it has no EC certificate. However I do not see a use case, when one will explicitly request RSA certificate for a site, that only has RSA certificates.

[dilyanpalauzov]

In addition, since for TLS 1.3, -ciphers aRSA is ignored, so is -ciphers aECDSA ignored. So --ecdsa should also disable TLS 1.3.

[dilyanpalauzov]

Per openssl/openssl#10131:

• to get ECDSA certificate for both TLS1.2 and TLS1.3 one has to call:
  ** openssl s_client -tls1_3 -sigalgs "ECDSA+SHA256" -connect autoconfig.aegee.org:443
  ** openssl s_client -tls1_2 -sigalgs "ECDSA+SHA256" -connect autoconfig.aegee.org:443

• to get RSA certificate for both TLS1.2 and TLS1.3 the call is:
  ** openssl s_client -tls1_2 -sigalgs "RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256" -connect autoconfig.aegee.org:443
  ** openssl s_client -tls1_3 -sigalgs "RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256" -connect autoconfig.aegee.org:443

[dilyanpalauzov]

I meant as per openssl/openssl#10131.

[dilyanpalauzov]

To get RSA certificate the call is apparently s_client -sigalgs "RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1".

This works with both www.aegee.org:443 and autoconfig.aegee.org:443.

[dilyanpalauzov]

That string cannot be shortened.

The way to get EC certificate, if available, otherwise fail, is to pass -sigalgs "ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA384:ECDSA+SHA256:ECDSA+SHA512"

[matteocorti]

I see your point, what do you suggest?

[dilyanpalauzov]

Currently the mappings are:

• check_ssl_cert --rsa → openssl s_client -cipher aRSA
• check_ssl_cert --ecdsa → openssl s_client -cipher aECDSA.

I propose these mappings:

• check_ssl_cert --rsa → openssl s_client -sigalgs "RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"
• check_ssl_cert --ecdsa → openssl s_client -sigalgs "ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA384:ECDSA+SHA256:ECDSA+SHA512".

[matteocorti]

Thanks, I implemented the change

[dilyanpalauzov]

--rsa shall not disalbe TLS 1.3, but --help prints:

  --rsa                        cipher selection: force RSA authentication (disables TLS 1.3).

Moreover, this line SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3" after --rsa) shall disappear.

citing “# https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ says “RSA encryption was removed from TLS 1.3” is from my current perspective not necessary.

[matteocorti]

Thanks. I fixed it.

[dilyanpalauzov]

To be precise, TLS 1.3 does disable RSA signatures, but introduces RSA-PSS signatures (and TLS 1.2 can offer both).