Re: [openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*
On Wednesday, 20 June 2018 07:51:11 CEST John Jiang wrote: > 2018-06-19 23:11 GMT+08:00 Jakob Bohm : > > On 19/06/2018 15:40, John Jiang wrote: > >> Using OpenSSL 1.1.1-pre7 > >> > >> Please consider the following cases and handshaking results: > >> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher > >> suite > >> Handshaking failed with no suitable cipher > >> > >> 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > >> cipher suite > >> Handshaking succeeded. > >> > >> 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher > >> suite > >> Handshaking succeeded. > >> > >> 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > >> cipher suite > >> Handshaking succeeded. > >> > >> Why did case 1 fail? > > > > The TLS_RSA_ cipher suites require that the premaster secret > > is encrypted with the RSA key in the servers certificate. > > But an rsa_pss_pss_256 certificate (have not seen that notation > > before) is probably a signing-only certificate, that says not > > to encrypt anything with its RSA key. > > Why does rsa_pss_rsae_256 + TLS_RSA_* work? > It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature > scheme. because certificate that is usable for rsa_pss_rsae_sha256 signatures has a rsaEncryption Subject Public Key Info, that means it is generally usable both for encrypting the premaster key (TLS_RSA_* ciphers) and making signatures of its own (TLS_ECDHE_RSA_* ciphers), unless the KeyUsage X509v3 extension doesn't say otherwise... certificate that has a rsassa-pss Subject Public Key Info key is usable *only* for making rsassa-pss signatures (or rsa_pss_pss_* signatures) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic signature.asc Description: This is a digitally signed message part. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*
2018-06-19 23:11 GMT+08:00 Jakob Bohm : > On 19/06/2018 15:40, John Jiang wrote: > >> Using OpenSSL 1.1.1-pre7 >> >> Please consider the following cases and handshaking results: >> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher >> suite >> Handshaking failed with no suitable cipher >> >> 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> cipher suite >> Handshaking succeeded. >> >> 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher >> suite >> Handshaking succeeded. >> >> 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> cipher suite >> Handshaking succeeded. >> >> Why did case 1 fail? >> > The TLS_RSA_ cipher suites require that the premaster secret > is encrypted with the RSA key in the servers certificate. > But an rsa_pss_pss_256 certificate (have not seen that notation > before) is probably a signing-only certificate, that says not > to encrypt anything with its RSA key. > Why does rsa_pss_rsae_256 + TLS_RSA_* work? It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature scheme. Thanks! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*
On 19/06/2018 15:40, John Jiang wrote: Using OpenSSL 1.1.1-pre7 Please consider the following cases and handshaking results: 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking failed with no suitable cipher 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking succeeded. 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking succeeded. 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking succeeded. Why did case 1 fail? The TLS_RSA_ cipher suites require that the premaster secret is encrypted with the RSA key in the servers certificate. But an rsa_pss_pss_256 certificate (have not seen that notation before) is probably a signing-only certificate, that says not to encrypt anything with its RSA key. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*
Using OpenSSL 1.1.1-pre7 Please consider the following cases and handshaking results: 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking failed with no suitable cipher 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking succeeded. 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking succeeded. 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking succeeded. Why did case 1 fail? Thanks! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users