Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSA signature in CertificateVerify with TLS < 1.2 #189

Merged
merged 2 commits into from
Feb 25, 2017
Merged

RSA signature in CertificateVerify with TLS < 1.2 #189

merged 2 commits into from
Feb 25, 2017

Conversation

ocheron
Copy link
Contributor

@ocheron ocheron commented Feb 19, 2017

This is a fix for the scenario with client certificate reported in #111.

Steps to reproduce:

# Prepare a self-signed certificate to be used by client & server
cd /tmp
openssl req -x509 -new -subj /CN=localhost -nodes -text -out cert.pem

# Launch TLS server in terminal 1
openssl s_server -key /tmp/privkey.pem -cert /tmp/cert.pem -www \
        -verify 1 -CAfile /tmp/cert.pem

# Launch TLS client in terminal 2
tls-simpleclient --tls11 --no-validation --use-cipher=47 \
        --client-cert=/tmp/cert.pem:/tmp/privkey.pem \
        localhost 4433

@ocheron
Fix bug related to RSA signature of CertificateVerify with TLS < 1.2
cffc8c1 
This is mirror to what was already fixed in commit 638680e.

For SSLv3, TLS 1.0, TLS 1.1 the SHA1_MD5 hashing was applied twice when
the client sends its certificate.

In certificateVerifyCreate we need to call a new function
signatureCreateWithHashDescr without this additional hashing.  Function
signatureCreate should not change because it is also called by the (EC)DH
signing functions.

The new function name is similar to what already exists for signature
verification, and design is now more symmetrical.
@ocheron
Test handshake with client authentication
0d32cc2
kazu-yamamoto
kazu-yamamoto approved these changes Feb 24, 2017
View reviewed changes
Copy link
Collaborator

@kazu-yamamoto kazu-yamamoto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thank you for your effort to track down the cause of this issue.

@ocheron ocheron merged commit 0d32cc2 into haskell-tls:master Feb 25, 2017
ocheron added a commit that referenced this pull request Feb 25, 2017
@ocheron
Merge pull request #189 from ocheron/tls11-client-cert
bd987ca 
RSA signature in CertificateVerify with TLS < 1.2
@ocheron ocheron deleted the tls11-client-cert branch February 25, 2017 07:59
@ocheron
Copy link
Contributor Author

ocheron commented Feb 25, 2017

It made me (re)discover that we need more tests in the test suite, as entire features are not tested currently. For example I've started looking if we can add server-side ECDHE_ECDSA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kazu-yamamoto kazu-yamamoto kazu-yamamoto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ocheron @kazu-yamamoto