no suitable signature algorithm during handshake failure
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Jan 8 21:44:34 UTC 2021
On Fri, Jan 08, 2021 at 12:05:26PM -0800, Quanah Gibson-Mount wrote:
> > https://www.spinics.net/lists/openssl-users/msg05623.html
>
> Thanks Viktor. Mainly, I wasn't sure what specific information would be
> necessary. Here's what wireshark shows (IP addresses obfuscated):
It would be really helpful (also to you) if you install a more
up-to-date version of tshark, or copy the pcap file to a machine
that already has one. The version used below fails to understand
many relevant modern TLS extensions/features.
See annotations added:
> Secure Sockets Layer
> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: TLS 1.2 (0x0303)
> Length: 423
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 419
> Version: TLS 1.2 (0x0303)
> Random
> GMT Unix Time: Oct 2, 2014 19:22:16.000000000 MDT
> Random Bytes: 3226c3627d2ba7c967ce2cf097e616d9cbe45d1bb1cc21f4...
> Session ID Length: 32
> Session ID: bde8c16349a08e56a121b6e7aa1f317acf42186ba79b134d...
> Cipher Suites Length: 88
> Cipher Suites (44 suites)
> --> Cipher Suite: Unknown (0x1301) -- i.e. TLS_AES_128_GCM_SHA256
> --> Cipher Suite: Unknown (0x1302) -- i.e. TLS_AES_256_GCM_SHA384
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Extensions Length: 258
> Extension: server_name
> Type: server_name (0x0000)
> Length: 35
> Server Name Indication extension
> Server Name list length: 33
> Server Name Type: host_name (0)
> Server Name length: 30
> Server Name: directory.srv.TEST.ualberta.ca
> Extension: status_request
> Type: status_request (0x0005)
> Length: 5
> Certificate Status Type: OCSP (1)
> Responder ID list Length: 0
> Request Extensions Length: 0
> Extension: elliptic_curves
> Type: elliptic_curves (0x000a)
> Length: 32
> Elliptic Curves Length: 30
> Elliptic curves (15 curves)
> Extension: ec_point_formats
> Type: ec_point_formats (0x000b)
> Length: 2
> EC point formats Length: 1
> Elliptic curves point formats (1)
> Extension: signature_algorithms
> Type: signature_algorithms (0x000d)
> Length: 22
> Signature Hash Algorithms Length: 20
> Signature Hash Algorithms (10 algorithms)
> Signature Hash Algorithm: 0x0403
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Hash Algorithm: 0x0503
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Hash Algorithm: 0x0603
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Hash Algorithm: 0x0401
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Hash Algorithm: 0x0501
> Signature Hash Algorithm Hash: SHA384 (5)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Hash Algorithm: 0x0601
> Signature Hash Algorithm Hash: SHA512 (6)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Hash Algorithm: 0x0402
> Signature Hash Algorithm Hash: SHA256 (4)
> Signature Hash Algorithm Signature: DSA (2)
> Signature Hash Algorithm: 0x0203
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: ECDSA (3)
> Signature Hash Algorithm: 0x0201
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: RSA (1)
> Signature Hash Algorithm: 0x0202
> Signature Hash Algorithm Hash: SHA1 (2)
> Signature Hash Algorithm Signature: DSA (2)
> Extension: Unknown 50
> Type: Unknown (0x0032)
> Length: 22
> Data (22 bytes)
> Extension: status_request_v2
> Type: status_request_v2 (0x0011)
> Length: 9
> Certificate Status Type: OCSP Multi (2)
> Certificate Status Length: 4
> Responder ID list Length: 0
> Request Extensions Length: 0
> Extension: Extended Master Secret
> Type: Extended Master Secret (0x0017)
> Length: 0
> ! ---> Extension: Unknown 43 -- i.e. supported_versions!
> Type: Unknown (0x002b) -- Almost certainly w/ TLS 1.3
> Length: 9
> Data (9 bytes)
> ! ---> Extension: Unknown 45 -- psk_key_exchange_modes
> Type: Unknown (0x002d) -- a TLS 1.3 feature
> Length: 2
> Data (2 bytes)
> ! ---> Extension: Unknown 51 -- key_share
> Type: Unknown (0x0033) -- a TLS 1.3 feature
> Length: 71
> Data (71 bytes)
> Extension: renegotiation_info
> Type: renegotiation_info (0xff01)
> Length: 1
> Renegotiation Info extension
> Renegotiation info extension length: 0
The client almost certainly offered TLS 1.3 (via supported_versions),
but failed to offer a TLS 1.3-compatible RSA signature algorithm.
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme
Among the signature algorithms offered by the client:
> Signature Hash Algorithm: 0x02,01 -- rsa_pkcs1_sha1
> Signature Hash Algorithm: 0x04,01 -- rsa_pkcs1_sha256
> Signature Hash Algorithm: 0x05,01 -- rsa_pkcs1_sha384
> Signature Hash Algorithm: 0x06,01 -- rsa_pkcs1_sha512
> Signature Hash Algorithm: 0x02,02 -- dsa_sha1
> Signature Hash Algorithm: 0x04,02 -- dsa_sha256
> Signature Hash Algorithm: 0x02,03 -- ecdsa_sha1
> Signature Hash Algorithm: 0x04,03 -- ecdsa_secp256r1_sha256
> Signature Hash Algorithm: 0x05,03 -- ecdsa_secp256r1_sha384
> Signature Hash Algorithm: 0x06,03 -- ecdsa_secp256r1_sha512
None were PSS, and RFC 8446 says:
In addition, the signature algorithm MUST be compatible with the key
in the sender's end-entity certificate. RSA signatures MUST use an
RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5
algorithms appear in "signature_algorithms". The SHA-1 algorithm
MUST NOT be used in any signatures of CertificateVerify messages.
> > What sort of certificate does the server have. Are there any ssl module
> > settings in its openssl.cnf file?
>
> no module settings for openssl.cnf.
>
> For the server with the non-working cert, this is the x509 text output:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ---
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
> Validity
> Not Before: Mar 26 17:49:45 2020 GMT
> Not After : Apr 30 21:21:03 2022 GMT
> Subject: C=CA, ST=Alberta, L=---
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
The certificate does not require PSS, but TLS 1.3 does.
--
Viktor.
More information about the openssl-users
mailing list