[openssl-dev] Using TLSv1.2

[Андрей Даровских]

I use the openssl library in the project and use client certificate
verification. When using protocol TLSv1.2 I have a problem with data
encryption, using the private key of the client certificate. This is due to
the fact that the certificate validation server selected encryption
algorithm that is not supported by the crypt used to encrypt the signature
on the client certificate (failure in method capi_rsa_sign of e_capi.c
file).
Now I have corrected the behavior as follows:
- the method ssl3_send_client_certificate after selecting a client
certificate makes cleaning pkeys [i].digest
- the method ssl_set_cert if pkeys [i] .digest not specified, specify it.

After that I worked with an application protocol TLSv1.2

Is this correct or am I wrong to fix the library using openssl?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150324/e70251bd/attachment.html>
-------------- next part --------------
Index: s3_clnt.c
===================================================================
--- s3_clnt.c	(revision 365595)
+++ s3_clnt.c	(working copy)
@@ -3276,6 +3276,13 @@
         }
         s->rwstate = SSL_NOTHING;
         if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
+            if (SSL_USE_SIGALGS(s)) {
+                /* Clear certificate digests and validity flags */
+                for (i = 0; i < SSL_PKEY_NUM; i++) {
+                    s->cert->pkeys[i].digest = NULL;
+                    s->cert->pkeys[i].valid_flags = 0;
+                }
+            }
             s->state = SSL3_ST_CW_CERT_B;
             if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
                 i = 0;
-------------- next part --------------
Index: ssl_rsa.c
===================================================================
--- ssl_rsa.c	(revision 365595)
+++ ssl_rsa.c	(working copy)
@@ -222,6 +222,7 @@
     c->key = &(c->pkeys[i]);
 
     c->valid = 0;
+
     return (1);
 }
 
@@ -430,6 +431,15 @@
     c->pkeys[i].x509 = x;
     c->key = &(c->pkeys[i]);
 
+    // set digest for certificate if it no set earlier
+    if (c->pkeys[i].digest == NULL) {
+        X509_ALGOR* alg = x->cert_info->signature;
+        if (alg == NULL)
+            c->pkeys[i].digest = EVP_sha1();
+        else
+            c->pkeys[i].digest = EVP_get_digestbyobj(alg->algorithm);
+    }
+
     c->valid = 0;
     return (1);
 }