blog
The BSI's TLS handshake signature requirements
Germany's BSI, the Federal Office for Information Security, released a set of requirements for TLS communication some time ago which are binding for everyone desiring to work with government authorites. Some of these prove to be quite challenging for various reasons. They're called “TLS nach TR-03116-4 / Checkliste für Diensteanbieter”, the “check list for service providers”.
One of the more interesting requests is described in 2.4.2: here, the minimum requirements for signature algorithms during the TLS Handshake are listed. So far I wasn't really aware of the details during the handshake – documented in section 7.4 of RFC 5246 – in which the verification of the certificate and negotiation of the cipher used for the actual communication later on takes place. The verification of this handshake is performed using some hash and signature algorithms which are negotiated separately. In order to comply to the BSI's requirements, a SHA hash algorithm with a minimum size of 256 bits combined with an ECDSA or RSA signature algorithm has to be used.
Using the
“signature_algorithms” extension, the client may indicate
which algorithms should be used – if it doesn't, the protocol-based
defaults are assumed. For example, when using OpenSSL as TLS client,
the client-side accepted signature
algorithms can be set using the -sigalgs
parameter:
openssl s_client \ -connect example.org:443 \ -sigalgs RSA+SHA256:ECDSA+SHA256 \ -cipher DH,ECDH -tls1_2
In case the server accepts RSA 256 or ECDSA 256 for the handshake, connection negotiation will will be performed using one of these algorithm pairs. If the server doesn'r offer or accept any of these, no connection will be established.
In order to make Apache 2 behave BSI-compliant regarding signature algorithms, the following statement might be used to limit the algorithms to the ones designated as valid by the BSI:
SSLOpenSSLConfCmd SignatureAlgorithms \ "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"
So far I havn't found or tested any configuration snippets for nginx, I
guess some statement based on ssl_conf_command
might work:
ssl_conf_command SignatureAlgorithms ECDSA+SHA256:RSA+SHA256;
In order to test compliance, tls-check.de may be used. In the test results, look at “TLS Parameters and Algorithms (TLS 1.2)” in the “Supported Signature Algorithms” sections.