Cannot use TLSSocket without enabling MBEDTLS_SHA1_C macro

[janjongboom]

Description

You cannot use TLSSocket in Mbed OS master without declaring MBEDTLS_SHA1_C=1 in your macros section in mbed_app.json. This is not good, everything should work out of the box. We should add it to the default TLS config, or add it to mbed_lib.json for TLSSocket (like it is in the standalone library).

Issue request type

[ ] Question
[ ] Enhancement
[X] Bug

@bulislaw @SenRamakri @sg-

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/MBOCUSTRIA-137

[kjbracey]

How much does MBEDTLS_SHA1_C affect code size for people using the crypto but not full TLS? It adds it to the cipher list, but when is that typically pulled in apart from TLS? HMAC wrappers?

[marcuschangarm]

I think this depends on the root certificate you provide TLSSocket. I'm able to connect to AWS S3 using TLSSocket out of the box and a SHA256 signed certificate.

@janjongboom can you post the certificate you are trying to use?

[janjongboom]

@marcuschangarm os.mbed.com

See the code example in https://os.mbed.com/blog/entry/Adding-TLS-Sockets-to-Mbed-OS/

[SeppoTakalo]

LetsEncrypt certificate work without this MBEDTLS_SHA1_C so this issue is not valid or should be directed to Mbed TLS team.

COMODO certificate seems to require this SHA1.

[SeppoTakalo]

Tried a build without the macro and using Mbed OS Socket example modified to TLS

Total Static RAM memory (data + bss): 64264(+0) bytes
Total Flash memory (text + data): 294886(+0) bytes

With MBEDTLS_SHA1_C macro enabled:

Total Static RAM memory (data + bss): 64264(+0) bytes
Total Flash memory (text + data): 300271(+5385) bytes

So the flash size is affected by 5kB.

This is now up to TLS team to decide whether to enable that macro by default or not.
Mbed OS is not touching the default TLS configuration.

[janjongboom]

@SeppoTakalo @marcuschangarm Any idea on how we could print an error message to tell the user to enable this macro when we encounter this? If we could do that that'd be good by me.

[SeppoTakalo]

/**
 * \def MBEDTLS_SHA1_C
 *
 * Enable the SHA1 cryptographic hash algorithm.
 *
 * Module:  library/sha1.c
 * Caller:  library/md.c
 *          library/ssl_cli.c
 *          library/ssl_srv.c
 *          library/ssl_tls.c
 *          library/x509write_crt.c
 *
 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
 * depending on the handshake parameters, and for SHA1-signed certificates.
 *
 * \warning   SHA-1 is considered a weak message digest and its use constitutes
 *            a security risk. If possible, we recommend avoiding dependencies
 *            on it, and considering stronger message digests instead.
 *
 */
//#define MBEDTLS_SHA1_C

So it seems that SHA1 is required for old and weak certificates.

And again, I should not make any statements on how Mbed TLS is built, or should build.
It is their judgement call on what ciphers and configs to support.

CC: @ARMmbed/mbed-tls-gatekeepers can you comment here on how to handle this. Should we, or should Mbed TLS print out warning when building it with secure config. Feels a bit wrong...

As what comes to runtime error code, turning on the traces would print out this:

[ERR ][TLSW]: mbedtls_x509_crt_parse() failed: -0x262e (-9774): X509 - Signature algorithm (oid) is unsupported : OID - OID is not found

That is pretty much all we can get from TLS library.

[gilles-peskine-arm]

Hello,

I haven't investigated the issue(s) you're facing, but just to comment on MBEDTLS_SHA1_C, I want to emphasize that it's mainly needed for two things. It's needed to support older, weak certificates that are signed with SHA-1, which requires a further run-time option to enable because it's a security risk. And, independently, it's also needed to support TLS protocol versions 1.0 and 1.1.

The trace from mbedtls_x509_crt_parse shows that a certificate is using an unsupported algorithm. Just to confirm, are you getting a positive result with the same certificate if you compile with MBEDTLS_SHA1_C and no other changes? This surprises me because I'd have expected that the x509 module would then recognize SHA-1 but reject it as insecure.

[SeppoTakalo]

Yes, the same certificate works if SHA1 is enabled.

This was the error log:

[ERR ][TLSW]: mbedtls_x509_crt_parse() failed: -0x262e (-9774): X509 - Signature algorithm (oid) is unsupported : OID - OID is not found
[INFO][TLSW]: mbedtls_ssl_conf_rng()
[INFO][TLSW]: mbedtls_ssl_config_defaults()
[INFO][TLSW]: mbedtls_ssl_conf_authmode()
[INFO][TLSW]: mbedtls_ssl_setup()
[INFO][TLSW]: Starting TLS handshake with api.ipify.org
[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x7680 (-30336): SSL - No CA Chain is set, but required to operate
Error! socket->connect() returned: -30336
[INFO][TLSW]: Closing TLS

This is when SHA1 is enabled:

Connecting to network
[INFO][TLSW]: mbedtls_ssl_conf_ca_chain()
[INFO][TLSW]: mbedtls_ssl_config_defaults()
[INFO][TLSW]: mbedtls_ssl_conf_authmode()
Connecting to api.ipify.org
[INFO][TLSW]: mbedtls_ssl_conf_rng()
[INFO][TLSW]: mbedtls_ssl_setup()
[INFO][TLSW]: Starting TLS handshake with api.ipify.org
[INFO][TLSW]: TLS connection to api.ipify.org established
[DBG ][TLSW]: Server certificate:
    cert. version     : 3
    serial number     : 92:0F:D1:B7:FE:4B:88:AE:B6:ED:5A:B0:C3:6C:56:68
    issuer name       : C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
    subject name      : OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.ipify.org
    issued  on        : 2018-01-24 00:00:00
    expires on        : 2021-01-23 23:59:59
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    subject alt name  : *.ipify.org, ipify.org
    key usage         : Digital Signature, Key Encipherment
    ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication


[INFO][TLSW]: Certificate verification passed
[DBG ][TLSW]: send 58
SRV: HTTP/1.1 200 OK

Log outputs are coming from the wrapper layer, not from the Mbed TLS library. Is there some way to enable some loggings from TLS library as well? Should I re-run the same app with those enabled?

edit: sorry, copy&pasted wrong logs.. but anyway those were similar.

[SeppoTakalo]

Both say that signed using : RSA with SHA-256

[Patater]

Since this is PKI, there is probably a certificate chain involved. All certificates in the chain would need to avoid SHA-1. Probably the root certificate for Let's Encrypt is (IdenTrust) DST Root CA X3 which is signed using PKCS #1 SHA-1 With RSA Encryption. (See https://letsencrypt.org/certificates/ for more details.)