Differences in defaults between 1.0.2 and 1.1.1

Matt Caswell matt at openssl.org
Tue Mar 19 14:23:03 UTC 2019



On 19/03/2019 13:40, Perrow, Graeme wrote:
> TLS: error: accept - force handshake failure: errno 11 - moznss error -12162
> 
> TLS: can't accept: TLS error -12162:Unsupported hash algorithm used by TLS peer..


Just to confirm - you've not configured client authentication?

Assuming not, the above error message from the server suggests that it doesn't
like one of the signature algorithms sent through from the client in the
ClientHello. At least I'm assuming that's the point at which it fails. You
omitted most of the -debug output so its a little unclear exactly how far
through the handshake it got before the failure occurred. If my assumption is
right then it looks like the server may be behaving incorrectly. It isn't
supposed to fail if it encounters a parameter it doesn't recognise - its just
supposed to ignore it.

To test the theory I suggest sending through the same list of signature
algorithms in the same order that 1.0.2 sends them. You can do that using the
"-sigalgs" parameter to s_client:

openssl s_client -showcerts -host <host>:<port> -debug -sigalgs
"RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1"

Matt


More information about the openssl-users mailing list