[gnutls-devel] Prevent MD5 Downgrade in TLS signatures

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Apr 25 20:30:37 CEST 2015

On Sat, 2015-04-25 at 16:55 +0200, Karthikeyan Bhargavan wrote:
> Prevent MD5 Downgrade in TLS 1.2 Signatures
> -------------------------------------------
> GnuTLS does not by default support MD5 signatures. Indeed the RSA-MD5
> signature-hash algorithm needs to be explicitly enabled using the
> priority option VERIFY_ALLOW_SIGN_RSA_MD5. In the NORMAL and SECURE
> profiles, GnuTLS clients do not offer RSA-MD5 in the signature
> algorithms extension. However, we find that all GnuTLS clients still
> accept RSA-MD5 in the ServerKeyExchange and GnuTLS servers still
> accept RSA-MD5 in the ClientCertificateVerify.
> To see the bug, connect with GnuTLS to an openssl 1.0.1m server with a
> modified ssl/s3_srvr.c (attached) which always signs the
> ServerKeyExchange with RSA-MD5.  When gnutls-cli connects to a server,
> its signature algorithms extension only advertises signature/hash
> algorithms that use the SHA family. Notably, it should not allow any
> MD5 signature. However, when our server sends it an RSA-MD5 signature,
> NSS does not check that this algorithm is included in the allowed
> algorithms and quietly accepts it, hence downgrading the expected
> security of the connection. 

Hello Karthikeyan,
 That's a nice catch. There seems to be an issue in the function which
checked the used algorithm for validity. I've managed to make a
reproducer, but could you send yours as well (the attachment was


More information about the Gnutls-devel mailing list