[openssl-users] How to select supported signature algorithms
Dr. Stephen Henson
steve at openssl.org
Mon Mar 16 22:11:40 UTC 2015
On Mon, Mar 16, 2015, Jacques FLORENCE wrote:
> Hello,
> I am developing a simple client/server application with openSSL.
>
> Using wireshark, I can see in the Client Hello message that there is an
> extension signature_algorithms, in which are fields Signature Hash
> Algorithms.
> I can see a lot of supported algorithms, such as RSA, DSA, ECDSA in the
> fields *Signature Hash Algorithm Signature* ,and SHA1, SHA256, MD5,
> ... for *Signature
> Hash Algorithm Hash*.
>
> The same behavior happens in the Server Key Exchange message.
> My question is: how can I restrict this list of algorithms to use only one?
> Note that I am already using the function set_cipher_list(), and as a
> consequence, the field *Cipher Suites* in those messages only contains the
> suite I want to use. So I don't know what is the API function to use
> instead of ssl_ctx_set_cipher_list().
>
> I didn't find anything in the documentation.
>
You need OpenSSL 1.0.2 to set a custom supported signature algorithms
extension. You can use the macro SSL_CTX_set1_sigalgs_list(ctx, sigstring)
where "sigstring" has the format of SignatureAlgorithms documented at:
https://www.openssl.org/docs/ssl/SSL_CONF_cmd.html
For example SSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256");
For the signature algorithm associated with client authentication you use
SSL_CTX_set1_client_sigalgs_list instead.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list