redondance signature algorithm listed in client hello

Jared Huang jared.fu at gmail.com
Tue Sep 20 09:34:50 UTC 2022


Hello,



I’m using SSL_CTX_set1_sigalgs_list to set my favorite signature algorithm.

But there is more algorithm listed on client hello message than I desired.



I defined a list

#define TLS_PREFER_SIGNATURE    "rsa_pss_rsae_sha256:" \

                                "rsa_pss_rsae_sha384:" \

                                "rsa_pss_rsae_sha512:" \

                                "rsa_pss_pss_sha256:" \

                                "rsa_pss_pss_sha384:" \

                                "rsa_pss_pss_sha512:" \

                                "ecdsa_secp256r1_sha256:" \

                                "ecdsa_secp384r1_sha384:" \

                                "ecdsa_secp521r1_sha512:" \

                                "rsa_pkcs1_sha256:" \

                                "rsa_pkcs1_sha384:" \

                                "rsa_pkcs1_sha5256" \



Then, use SSL_CTX_set1_sigalgs_list(pCtx, TLS_PREFER_SIGNATURE ) to
customize signature algorithm.

But in client hello, the signature algorithm has more than I listed.

Signature Hash Algorithms (23 algorithms)

    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)

    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)

    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)

    Signature Algorithm: ed25519 (0x0807)

    Signature Algorithm: ed448 (0x0808)

    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)

    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)

    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)

    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)

    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)

    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)

    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)

    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)

    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)

    Signature Algorithm: SHA224 ECDSA (0x0303)

    Signature Algorithm: ecdsa_sha1 (0x0203)

    Signature Algorithm: SHA224 RSA (0x0301)

    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)

    Signature Algorithm: SHA224 DSA (0x0302)

    Signature Algorithm: SHA1 DSA (0x0202)

    Signature Algorithm: SHA256 DSA (0x0402)

    Signature Algorithm: SHA384 DSA (0x0502)

    Signature Algorithm: SHA512 DSA (0x0602)


Do I make any mistake ? How do i remove SHA+DSA, and others?


Thanks

-- 
Sincerely,
Jared
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220920/2bda35c0/attachment.htm>


More information about the openssl-users mailing list