[openssl-dev] Using TLSv1.2
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Apr 6 21:23:51 UTC 2015
On Tue 2015-03-24 10:47:57 -0400, Андрей Даровских wrote:
> I use the openssl library in the project and use client certificate
> verification. When using protocol TLSv1.2 I have a problem with data
> encryption, using the private key of the client certificate. This is due to
> the fact that the certificate validation server selected encryption
> algorithm that is not supported by the crypt used to encrypt the signature
> on the client certificate (failure in method capi_rsa_sign of e_capi.c
> file).
> Now I have corrected the behavior as follows:
> - the method ssl3_send_client_certificate after selecting a client
> certificate makes cleaning pkeys [i].digest
> - the method ssl_set_cert if pkeys [i] .digest not specified, specify it.
>
> After that I worked with an application protocol TLSv1.2
>
> Is this correct or am I wrong to fix the library using openssl?
I don't think what you're proposing here is the right thing to do.
Also, your report above seems to talk about encryption algorithms but
your code change talks about digest algorithms, so i think something is
mixed up in terms of figuring out what the problem is and how to solve
it. Maybe more details would help?
Can you give an example of the client certificate you were trying to
use, and/or a concrete example of a program that triggers the failure?
If the certificate you're using is sensitive and you don't want to share
it, can you describe a set of steps to recreate the error that you were
running into (perhaps including generating the certificate itself)?
--dkg
More information about the openssl-dev
mailing list