Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240808190532.Uwg8_Ylc@steffen%sdaoden.eu>
Date: Thu, 08 Aug 2024 21:05:32 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: feedback requested regarding deprecation
 of TLS 1.0/1.1

Clemens Lang wrote in
 <E3810E68-25CC-456F-9DC4-A03752C43E79@...hat.com>:
 |Hello Steffen,

Hallo.  (I presume.)

 |> On 7. Aug 2024, at 22:16, Steffen Nurpmeso <steffen@...oden.eu> wrote:
 |> 
 |> Isn't that terribly rhetorical, and can kill sheeps indeed.
 |> To reiterate that SSL/TLS are standards, they had version
 |> iterations, which possibly got around some real protocol problem.
 |> These offer standardized sets of ciphersuites, some of those, of
 |> the elder versions, are "no longer secure".  (I am no
 |> cryptographer to tell whether they ever were completely so, or
 |> whether there are "mathematical tricks" to get away without brute
 |> force for them.  That aside.)  That is basically it.  But, as far
 |> as i understand it, even TLSv1 supported forward-secrecy stuff, ie
 |> 
 |>  # openssl ciphers -v EECDH+AESGCM:EECDH+AES256:CHACHA20:!DHE
 |> 
 |> gives two members, and except for the SHA-1 MAC this looks pretty
 |> modern.  But again: i am far from being an expert.
 |
 |TLS < 1.2 only supports a single signature algorithm, which uses SHA1-MD5 \
 |as digest.
 |Only TLS >= 1.2 supports the signature_algorithms extension to negotiate \
 |modern digests.
 |
 |MD-5 is fully broken. SHA-1 is questionable. Their combination may \
 |withstand attacks a little bit longer, but probably not by much.
 |
 |The MAC is actually fine, since it’s HMAC with SHA-1, which isn’t as \
 |affected by a SHA-1 collision attack [1].
 |
 |  [1]: https://security.stackexchange.com/questions/187866/why-aren-t-coll\
 |  isions-important-with-hmac

Ok, here you got me.  I would have to (actually a little bit of
re-) read the entire TLS specification 1.1 (2246) in order to give
some useful answer.  Ie, whether the non-HMAC usage of MD5/SHA-1
in TLSv1.1 is used in a way that is truly problematic, or whether
they exist in data blocks that are protected by other means,
protected by the stream cipher or signed by a key that anyway has
to be verified via private/public key cryptography.
I never read 5246, just downloaded it an hour ago to read the
referenced appendix.  (Not a network expert etc.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|
| Only during dog days:
| On the 81st anniversary of the Goebbel's Sportpalast speech
| von der Leyen gave an overlong hypocritical inauguration one.
| The brew's essence of our civilizing advancement seems o be:
|   Total war - shortest war -> Permanent war - everlasting war

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.