[openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*
John Jiang
john.sha.jiang at gmail.com
Wed Jun 20 05:51:11 UTC 2018
2018-06-19 23:11 GMT+08:00 Jakob Bohm <jb-openssl at wisemo.com>:
> On 19/06/2018 15:40, John Jiang wrote:
>
>> Using OpenSSL 1.1.1-pre7
>>
>> Please consider the following cases and handshaking results:
>> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
>> suite
>> Handshaking failed with no suitable cipher
>>
>> 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> cipher suite
>> Handshaking succeeded.
>>
>> 3. rsa_pss_rsae_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
>> suite
>> Handshaking succeeded.
>>
>> 4. rsa_pss_rsae_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> cipher suite
>> Handshaking succeeded.
>>
>> Why did case 1 fail?
>>
> The TLS_RSA_ cipher suites require that the premaster secret
> is encrypted with the RSA key in the servers certificate.
> But an rsa_pss_pss_256 certificate (have not seen that notation
> before) is probably a signing-only certificate, that says not
> to encrypt anything with its RSA key.
>
Why does rsa_pss_rsae_256 + TLS_RSA_* work?
It sounds that rsa_pss_pss_256 and rsa_pss_rsae_256 are the same signature
scheme.
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180620/3873cd3a/attachment.html>
More information about the openssl-users
mailing list