[openssl-users] TLS 1.3 handshake: Limit signature algorithm?

Christian Heimes christian at python.org
Thu Nov 2 10:32:45 UTC 2017


I'm one of the maintainers of Python's ssl module. A couple of days ago
Hanno Böck opened an issue [1] against ssl.get_server_certificate()
function [2][3]. It's a helper function to retrieve the end-entity
certificate from a remote TLS/SSL server over an unverified connection.

The implementation [3] is rather simple and has some limitations. Hanno
pointed out that it cannot handle servers with multiple certificate
types. For example Facebook supports RSA and ECDSA certs. Python's
ssl.get_server_certificate() can only retrieve the ECDSA cert. It's
fairly simple to fix the problem for TLS 1.2 and lower by limiting the
cipher suites to "aRSA:!NULL" for RSA certs and "aECDSA:!NULL" for ECDSA
certs [4].

However this trick will not work with TLS 1.3. The new TLS 1.3 cipher
suites no longer specify authentication algorithm or key
agreement/exchange. TLS 1.3 RFC specifies a signature_algorithms
extension [5]. I could not find any API call in OpenSSL master to set
the extension for TLS 1.3 handshakes.

How can a client enforce a specific authentication algorithm or set of
signature algorithms for TLS 1.3 handshake?


[1] https://bugs.python.org/issue31892
[2] https://docs.python.org/3/library/ssl.html#ssl.get_server_certificate
[3] https://github.com/python/cpython/blob/v3.6.2/Lib/ssl.py#L1201-L1218
[4] https://gist.github.com/tiran/6e7a5b00483376e164c951730db7d4e5
[5] https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3

More information about the openssl-users mailing list