sslscan icon indicating copy to clipboard operation
sslscan copied to clipboard

Published 20 hours ago verified publisher icon rbsec

False Positive 'TLS1.3 Server accepts all signature algorithms'

Open emanuelfc opened this issue 2 years ago • 0 comments

Summary

sslscan may return a False Positive 'Server accepts all signature algorithms' for TLS1.3.

Example

Signature Algorithm = RSA+SHA256 (rsa_pkcs1_sha256)

Not supported by aws.amazon.com.

openssl s_client -connect aws.amazon.com:443 -sigalgs "RSA+SHA256" -tls1_3

image

However, sslscan reports as 'Server accepts all signature algorithms'.

sslscan --show-sigs --no-cipher-details --no-ciphersuites --no-compression --no-fallback --no-groupseartbleed --no-renegotiation --no-check-certificate --tls13 aws.amazon.com

image

Explanation

Currently, sslscan only verifies if the ServerHello message was successfully received, and if so, then the given signature algorithm is considered to have been accepted by the server.

https://github.com/rbsec/sslscan/blob/b31459eb25324ddae52293b5ac46f2c86e8f7e51/sslscan.c#L6011-L6044

However, TLS1.3 now makes use of the CertificateVerify message:

TL;DR: If the server does not support any of the signature algorithms offered by the client, it continues the handshake and may use a different signature algorithm.

... Servers MUST send this message when authenticating via a certificate. ... If the CertificateVerify message is sent by a server, the signature algorithm MUST be one offered in the client's "signature_algorithms" extension unless no valid certificate chain can be produced without unsupported algorithms (see Section 4.2.3).

https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.3

"If the server cannot produce a certificate chain that is signed only via the indicated supported algorithms, then it SHOULD continue the handshake by sending the client a certificate chain of its choice that may include algorithms that are not known to be supported by the client. This fallback chain SHOULD NOT use the deprecated SHA-1 hash algorithm in general, but MAY do so if the client's advertisement permits it, and MUST NOT do so otherwise."

https://datatracker.ietf.org/doc/html/rfc8446#page-67

As such, it fails to obtain the CertificateVerify message sent by the server and verify if the signature algorithm specified by the client was accepted, or if the server using a different one.

openssl s_client -connect aws.amazon.com:443 -sigalgs "RSA+SHA256" -msg -trace

image

Remediation

When receiving a CertificateVerify message from the server, verify if the signature algorithm matches the one sent by the client.

emanuelfc avatar May 04 '23 13:05 emanuelfc