Bug ID 454492: Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1

Fixed In:
12.0.0, 11.6.1 HF2, 11.5.4 HF3

Opened: Mar 28, 2014
Severity: 3-Major

Symptoms

BIG-IP uses SHA1 in handshake signature, even though the client indicates support for stronger hash algorithms.

Impact

The updated code respects client signature_algorithms extension. If possible, BIG-IP now prefers SHA256 in the handshake signature based on the content of the signature_algorithms extension. BIG-IP further upgrades the hash algorithm to SHA384 from SHA256 when P-384 is used, e.g. when P-384 ECDSA X.509 certificate is used in the handshake. This additional enhancement only applies to the code base starting from 12.0; it was not ported to the 11.x code base. The signature_algorithms extension is defined in TLS 1.2. It's not not present in prior versions of the protocol. This logic attempts to avoid the use of SHA1 in TLS handshake, whenever possible. This change does not affect signatures used in X.509 certificates as these signatures are created by the X.509 CAs and not by BIG-IP. The only time SHA1 will be used in the handshake signature is when either of the following is true: - RSA key is used and the signature_algorithms extension is missing or - signature_algorithms is present and only lists SHA1. These conditions are expected to not hold for modern TLS clients, resulting in the upgrade to the SHA256 or better.

Conditions

When BIG-IP acts as TLS server (applies to clientssl SSL Profile): - SSL Profile "SSL Sign Hash" set to ANY. The use of other choices is not recommended. - Client sends signature_algorithms extension that includes SHA256. - ECDSA X.509 certificate has additional logic. If the TLS client doesn't send signature_algorithms, BIG-IP will choose SHA256.

Workaround

None

Fix Information

None

Behavior Change

Respect client signature_algorithms extension. If possible, prefer SHA256 in handshake signature.