libssl/libtls signal the wrong signature algorithm in ServerKeyExchange message

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

libssl/libtls signal the wrong signature algorithm in ServerKeyExchange message

Andreas Bartelt-2
In case an ECDSA based server certificate with ECDHE based key exchange
is used, I've notice that the ServerKeyExchange message (always?)
signals that this message has been signed with ecdsa-secp521r1-sha512
(0x0603) [tested on current with TLS 1.2 with P-256 as well as with
P-521 server certificates -- the actual signature sizes differ as
expected but the signalling of the signature algorithm is identical in
both cases].

Example: in case the server certificate contains a P-256 based public
key, the actually provided signature for the ServerKeyExchange message
is ecdsa-secp256r1-sha256. However, the signature algorithm field
signals 0x(0603) [ecdsa-secp521r1-sha512] instead of 0x(0403)
[ecdsa-secp256r1-sha256].

Multiple TLS libraries seem to behave this way, but, according to RFCs,
I would expect the actually used signature algorithm to be provided with
the ServerKeyExchange message. Could someone please clarify if this is a
bug?

Slightly related: is there a good reason why libtls doesn't provide an
API call for explicitly configuring allowed signature algorithms (via
Signature Algorithms extension)? (e.g., in order to ensure that
ecdsa-sha1 0x(0203) is not included in the list).

Best regards
Andreas