[openssl-project] The problem of (implicit) relinking and changed behaviour
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Apr 16 14:16:44 UTC 2018
> On Apr 16, 2018, at 6:00 AM, Matt Caswell <matt at openssl.org> wrote:
>
> That's not entirely true. This works:
>
> $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0
> $ openssl s_client -no_tls1_3 -cipher ALL at SECLEVEL=0
>
> This doesn't:
>
> $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0
> $ openssl s_client -cipher ALL at SECLEVEL=0
>
> 139667082474432:error:14201076:SSL routines:tls_choose_sigalg:no
> suitable signature algorithm:ssl/t1_lib.c:2484:
>
> We do not allow DSA certs in TLSv1.3.
It is largely time we did not allow them in TLS 1.2 either, nobody
uses them, but perhaps "nobody" == USG?
--
Viktor.
More information about the openssl-project
mailing list