Which RSA Key Exchange or/and RSA Signature algorithms do Openssl 1.1.1 use for ciphers AES256-GCM-SHA384 and ECDHE-RSA-CAMELLIA128-SHA256? Thanks.
Matt Caswell
matt at openssl.org
Wed Aug 16 09:39:40 UTC 2023
On 15/08/2023 19:47, Ma Zhenhua wrote:
> Hi Team,
>
> I know that both key exchange and authenticate methods of
> AES256-GCM-SHA384 is RSA, the authentication method of
> ECDHE-RSA-CAMELLIA128-SHA256 is RSA.
>
> I'm using 1_1_1_stable branch and would like to figure out which RSA key
> exchange or/and RSA signature algorithm 1_1_1_stable is using
> for ciphers AES256-GCM-SHA384 and ECDHE-RSA-CAMELLIA128-SHA256. Thanks
> in advance.
>
> ■RSA Key Exchange
> RSA-KEM
> RSA-OAEP
> RSA-PKCS#1 v1.5
> RSA(raw RSA, a raw RSA encryption method that does not perform padding
> processing)
>
> ■RSA Signature
> RSA-PSS
> RSA-PKCS#1 v1.5
> RSA(raw RSA, a raw RSA encryption method that does not perform padding
> processing)
I answered your github discussion on this same topic before I saw your
posting here:
https://github.com/openssl/openssl/discussions/21744
Repeating my answer for the benefit of the rest of openssl-users:
For AES256-GCM-SHA384, RSA key exchange is used. RFC 5264 section
7.4.7.1 says this about it:
The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure
against the Bleichenbacher attack. However, for maximal
compatibility with earlier versions of TLS, this specification uses
the RSAES-PKCS1-v1_5 scheme. No variants of the Bleichenbacher
attack are known to exist provided that the above recommendations are
followed.
In the case of ECDHE-RSA-CAMELLIA128-SHA256, RSA is used for signing
only (not key exchange) and an additional ServerKeyExchange message is
sent containing the signature. The actual signature scheme used is
negotiated separately to the ciphersuite based on the capabilities of
the client and server and could be either RSASSA-PSS or RSASSA-PKCS1-v1_5
Matt
More information about the openssl-users
mailing list