Hello, I have a question for someone with deep knowledge about
cryptology. The question regards Fedora's crypto policies and a certain
usage of SHA-1 in TLS.
I encountered a web server that Seamonkey and Firefox refuse to talk
to. Both give me the error SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM.
In an attempt to find out more, I checked the server with Qualys' SSL
Server Test (
https://www.ssllabs.com/ssltest/). Qualys gave it an A+,
which is supposed to mean that its security is excellent.
Next I used Wireshark to inspect the TLS handshake. Wireshark reported
usage of SHA-1, not in the certificate but in a signature associated
with elliptic curve parameters:
| TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
| Content Type: Handshake (22)
| Version: TLS 1.2 (0x0303)
| Length: 333
| Handshake Protocol: Server Key Exchange
| Handshake Type: Server Key Exchange (12)
| Length: 329
| EC Diffie-Hellman Server Params
| Curve Type: named_curve (0x03)
| Named Curve: secp256r1 (0x0017)
| Pubkey Length: 65
| Pubkey:
041f840f40a2178f875274097092ca2549138f8a7bd52df895ea413b742d1714a6cf873e…
| Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
| Signature Hash Algorithm Hash: SHA1 (2)
| Signature Hash Algorithm Signature: RSA (1)
| Signature Length: 256
| Signature:
09147d81aa601dc402e62cf7f943196c89822a0c8bbe07d8443654519b0e04f51b0b8e72…
To check whether this was the problem, I temporarily added "SHA1" to
/etc/crypto-policies/back-ends/nss.config. This made the error go away,
and the browser happily loaded the page.
My question is: Is it true that this usage of SHA-1 makes the TLS
session weak, so that it's correct to forbid it in the crypto policy?
Or could it be that Qualys is right? Perhaps SHA-1 is fine for this use
case, even though it's too weak for other use cases, and the crypto
policy should allow it?
The website where I saw this is
https://www.euroclear.com/ in case
anyone wants to test things themself.
Björn Persson