server key exchange signature behavior
Michael Wojcik
Michael.Wojcik at microfocus.com
Thu Jun 25 17:32:22 UTC 2020
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
> Bruce Cloutier
> Sent: Thursday, June 25, 2020 12:10
>
> By "If OpenSSL fails to validate this particular digital signature that
> would be the case." I meant to question whether or not OpenSSL is in
> fact doing the validation? In the case that the signature is being
> ignored then clients wouldn't complain. They wouldn't notice.
s_client should be verifying the signature.[1] That is, it should be verifying every signature that's part of the actual TLS protocol. I admit it's not entirely clear to me which signature isn't being verified successfully by your client.
[1] I'm not sure "validate" is the proper term here, technically speaking. In my experience, the literature usually uses "verify" for confirming a signature. "Validate" is generally used for more complex protocols, such as certificate validation, which involves a large number of steps with various types of checks.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list