<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">2018-06-19 23:11 GMT+08:00 Jakob Bohm <span dir="ltr"><<a href="mailto:jb-openssl@wisemo.com" target="_blank">jb-openssl@wisemo.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 19/06/2018 15:40, John Jiang wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Using OpenSSL 1.1.1-pre7<br>
<br>
Please consider the following cases and handshaking results:<br>
1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA38<wbr>4 cipher suite<br>
Handshaking failed with no suitable cipher<br>
<br>
2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM<wbr>_SHA384 cipher suite<br>
Handshaking succeeded.<br>
<br>
3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA38<wbr>4 cipher suite<br>
Handshaking succeeded.<br>
<br>
4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM<wbr>_SHA384 cipher suite<br>
Handshaking succeeded.<br>
<br>
Why did case 1 fail?<br>
</blockquote></span>
The TLS_RSA_ cipher suites require that the premaster secret<br>
is encrypted with the RSA key in the servers certificate.<br>
But an rsa_pss_pss_256 certificate (have not seen that notation<br>
before) is probably a signing-only certificate, that says not<br>
to encrypt anything with its RSA key.<br></blockquote>Why does rsa_pss_rsae_256 + TLS_RSA_* work?<br></div><div class="gmail_quote">It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature scheme.<br><br></div><div class="gmail_quote">Thanks!<br></div></div></div>