Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Michael Paquier <michael@paquier.xyz>
Cc: gunnar.bluth@pro-open.de, pgsql-bugs@lists.postgresql.org,
Jacob Champion <jchampion@timescale.com>
Date: 2023-02-10T14:02:31Z
Lists: pgsql-bugs
The new "tls-server-end-point-sha-256" channel binding type now seems like the best approach to me, but I still wanted to reply to this: On 09/02/2023 10:24, Michael Paquier wrote: > But the client has the choice to decide if it wants to use channel > binding, does it? In this case, it would send the non-PLUS mechanism > followed by 'n' as gs2-cbind-flag, no? No, that makes a downgrade attack possible with channel_binding=prefer. Imagine that you have a server with a typical RSA certificate that supports channel binding. And a client with channel_binding=prefer. There is a Man-In-The-Middle between the client and the server. The MITM works as a proxy, and opens two separate TLS connections: server <-> MITM and MITM <-> client. To the client, it presents a TLS server certificate that uses 'rsassaPss'. The client connects to the MITM, sees the rsassaPss certificate, and decides that it cannot do channel binding because the server doesn't support it. It sends 'n' gs2-cbind-flag, and the server happily accepts that. Currently, such a downgrade attack is not possible. If client and server both support channel binding, it will be used. If a MITM tries to modify the SASL mechanism list, leaving out SCRAM-SHA-256-PLUS, the client will use gs2-cbind-flag='y' which notifies the server that the mechanism list was modified, and the server will fail the authentication. And if the MITM doesn't change the negotiation, then channel binding will be used, and the authentication will fail because the client and server will compute a different server certificate hash. There is no way for the client to tell the server "I support channel binding in general, but not with this server certificate". - Heikki
Commits
-
Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificates
- 88d606f7cc68 11.20 landed
- a40e7b75e689 12.15 landed
- 2eb8e54cc373 13.11 landed
- 864f80feadea 14.8 landed
- 5fd61055eacf 15.3 landed
- 9244c11afe23 16.0 landed