[erlang-questions] ssl: TLS-1.2 signature extension

[Andreas Schultz]

Hi,

I've come across a curious TLS 1.2 connection problem. Erlang 19.x will
not connect to https://validator5.addressdoctor.com/ in the default
configuration or when more than TLS 1.2 is offered.

After some digging I found out that the server (IIS-8.0) would attempt
to use TLS 1.2, but chokes on the *missing* Signature Algorithms extension.
This is clearly a bug in the server implementation, as it should assume
a default value for the supported signature algorithms. Nevertheless,
every other TLS client works normally.

Erlang SSL behavior is 100% compliant with RFC-5246:

> Note: this extension is not meaningful for TLS versions prior to 1.2.
>       Clients MUST NOT offer it if they are offering prior versions.

Tests with OpenSSL and GNU-TLS show that they ignore the "MUST NOT"
from the above clause and include the Signature Algorithms extension
whenever they offer TLS 1.2 regardless of a possible fallback to a
lower version.

I think Erlang's SSL should do the same.

There is also an alternative way to understand the clause. It's meaning
depends on "offering prior version". The version offered is the value
from ClientHello.client_version, so as soon as this value is {3, 3},
a Signature Algorithms extension should be sent.


Regards
Andreas