Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate signature algorithm values sent from s2n client #3916

Closed
raycoll opened this issue Apr 3, 2023 · 0 comments · Fixed by #4498
Closed

Duplicate signature algorithm values sent from s2n client #3916

raycoll opened this issue Apr 3, 2023 · 0 comments · Fixed by #4498
Labels
priority/medium Rank 3 size/medium

Comments

@raycoll
Copy link
Contributor

raycoll commented Apr 3, 2023

Problem:

When using s2n with modern security policies, s2n client will send duplicate signature_algorithm extension values. This appears related to how s2n writes entries from it's signature scheme preference list: https://github.com/aws/s2n-tls/blob/main/tls/s2n_signature_scheme.c#L321

I ran something like s2nc -c default_tls13 -i www.amazon.com 443 and generated a packet capture. Here is the signature_algorithm extension

Screenshot 2023-04-03 at 2 38 41 PM

Solution:

Avoid writing duplicated values to the signature_algorithm{_cert} extensions.

  • Does this change what S2N sends over the wire? : Yes, this proposal will change s2n client from sending duplicate signature scheme values to a single value.

Requirements / Acceptance Criteria:

Out of scope:

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/medium Rank 3 size/medium
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: combine TLS1.2 and TLS1.3 sig scheme representations lrstewart/s2n
2 participants
@raycoll @lrstewart