[openssl-users] How to select supported signature algorithms

[Dr. Stephen Henson]

On Mon, Mar 16, 2015, Jacques FLORENCE wrote:

> Hello,
> I am developing a simple client/server application with openSSL.
> 
> Using wireshark, I can see in the Client Hello message that there is an
> extension signature_algorithms, in which are fields Signature Hash
> Algorithms.
> I can see a lot of supported algorithms, such as RSA, DSA, ECDSA in the
> fields *Signature Hash Algorithm Signature* ,and SHA1, SHA256, MD5,
> ... for *Signature
> Hash Algorithm Hash*.
> 
> The same behavior happens in the Server Key Exchange message.
> My question is: how can I restrict this list of algorithms to use only one?
> Note that I am already using the function set_cipher_list(), and as a
> consequence, the field *Cipher Suites* in those messages only contains the
> suite I want to use. So I don't know what is the API function to use
> instead of ssl_ctx_set_cipher_list().
> 
> I didn't find anything in the documentation.
> 

You need OpenSSL 1.0.2 to set a custom supported signature algorithms
extension. You can use the macro SSL_CTX_set1_sigalgs_list(ctx, sigstring)
where "sigstring" has the format of SignatureAlgorithms documented at:

https://www.openssl.org/docs/ssl/SSL_CONF_cmd.html

For example  SSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256");

For the signature algorithm associated with client authentication you use
SSL_CTX_set1_client_sigalgs_list instead.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org