[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] consensus on backwards compatibility changes
From:       Florian Weimer <fweimer () redhat ! com>
Date:       2015-01-29 10:01:57
Message-ID: 54CA0515.5090506 () redhat ! com
[Download RAW message or body]

On 01/28/2015 09:42 PM, Martin Rex wrote:
> There are several serious design flaws (resulting in serious weaknesses)
> in the TLSv1.2 signature algorithm extension, however.  TLSv1.2 is the
> only TLS protocol version where (rsa,md5) is a valid signature algorithm
> for creating "digitally-signed" PDUs (ServerKeyExchange and
> CertificateVerify), and that was a terribly stupid decision.
> Even (rsa,sha1) is significantly weaker than what every prior TLS
> protocol version, including SSLv3 had been using (rsa,sha1+md5).

Yes, that's what I meant, or more precisely, the {rsa,sha1} default in
case of a missing TLS extension (which includes SSLv2 Client Hello case).

-- 
Florian Weimer / Red Hat Product Security


[prev in list] [next in list] [prev in thread] [next in thread]