redondance signature algorithm listed in client hello
Jared Huang
jared.fu at gmail.com
Tue Sep 20 09:34:50 UTC 2022
Hello,
I’m using SSL_CTX_set1_sigalgs_list to set my favorite signature algorithm.
But there is more algorithm listed on client hello message than I desired.
I defined a list
#define TLS_PREFER_SIGNATURE "rsa_pss_rsae_sha256:" \
"rsa_pss_rsae_sha384:" \
"rsa_pss_rsae_sha512:" \
"rsa_pss_pss_sha256:" \
"rsa_pss_pss_sha384:" \
"rsa_pss_pss_sha512:" \
"ecdsa_secp256r1_sha256:" \
"ecdsa_secp384r1_sha384:" \
"ecdsa_secp521r1_sha512:" \
"rsa_pkcs1_sha256:" \
"rsa_pkcs1_sha384:" \
"rsa_pkcs1_sha5256" \
Then, use SSL_CTX_set1_sigalgs_list(pCtx, TLS_PREFER_SIGNATURE ) to
customize signature algorithm.
But in client hello, the signature algorithm has more than I listed.
Signature Hash Algorithms (23 algorithms)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Algorithm: ed25519 (0x0807)
Signature Algorithm: ed448 (0x0808)
Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Algorithm: SHA224 ECDSA (0x0303)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Algorithm: SHA224 RSA (0x0301)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Algorithm: SHA224 DSA (0x0302)
Signature Algorithm: SHA1 DSA (0x0202)
Signature Algorithm: SHA256 DSA (0x0402)
Signature Algorithm: SHA384 DSA (0x0502)
Signature Algorithm: SHA512 DSA (0x0602)
Do I make any mistake ? How do i remove SHA+DSA, and others?
Thanks
--
Sincerely,
Jared
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220920/2bda35c0/attachment.htm>
More information about the openssl-users
mailing list