christoph ender's

blog

thursday the 25th of july, 2024

The BSI's TLS handshake signature requirements

Germany's BSI, the Federal Office for Information Security, released a set of requirements for TLS communication some time ago which are binding for everyone desiring to work with government authorites. Some of these prove to be quite challenging for various reasons. They're called “TLS nach TR-03116-4 / Checkliste für Diensteanbieter”, the “check list for service providers”.

One of the more interesting requests is described in 2.4.2: here, the minimum requirements for signature algorithms during the TLS Handshake are listed. So far I wasn't really aware of the details during the handshake – documented in section 7.4 of RFC 5246 – in which the verification of the certificate and negotiation of the cipher used for the actual communication later on takes place. The verification of this handshake is performed using some hash and signature algorithms which are negotiated separately. In order to comply to the BSI's requirements, a SHA hash algorithm with a minimum size of 256 bits combined with an ECDSA or RSA signature algorithm has to be used.

client-side request of specific algorithms

Using the “signature_algorithms” extension, the client may indicate which algorithms should be used – if it doesn't, the protocol-based defaults are assumed. For example, when using OpenSSL as TLS client, the client-side accepted signature algorithms can be set using the -sigalgs parameter: 

openssl s_client \
  -connect example.org:443 \
  -sigalgs RSA+SHA256:ECDSA+SHA256 \
  -cipher DH,ECDH -tls1_2

In case the server accepts RSA 256 or ECDSA 256 for the handshake, connection negotiation will will be performed using one of these algorithm pairs. If the server doesn'r offer or accept any of these, no connection will be established.

apache

In order to make Apache 2 behave BSI-compliant regarding signature algorithms, the following statement might be used to limit the algorithms to the ones designated as valid by the BSI: 

SSLOpenSSLConfCmd SignatureAlgorithms \
  "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"
nginx

So far I havn't found or tested any configuration snippets for nginx, I guess some statement based on ssl_conf_command might work: 

ssl_conf_command SignatureAlgorithms ECDSA+SHA256:RSA+SHA256;
compliance testing

In order to test compliance, tls-check.de may be used. In the test results, look at “TLS Parameters and Algorithms (TLS 1.2)” in the “Supported Signature Algorithms” sections.