[openssl-users] Unexpected behaviors in TLS handshake

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jun 20 17:31:15 UTC 2018

> On Jun 20, 2018, at 12:47 PM, Matt Caswell <matt at openssl.org> wrote:
> An OpenSSL client will enforce that the ServerKeyExchange signature is
> consistent with the sig algs that it sent. It does *not* enforce that
> the server's certificate signatures are consistent with those sig algs.
> I don't think there is any equivalent of the server's "-strict" to
> switch this checking on.
> Note that in TLSv1.3 there are actually *two* sig algs extensions, i.e.
> "signature_algorithms" and "signature_algorithms_cert". The latter
> enables you to specify acceptable signature algorithms in a certificate
> chain separately from signatures algorithms in the TLSv1.3
> CertificateVerify message.

Right, certificate chain verification is the business of the X.509
code in libcrypto and lies entirely outside the SSL library.  The
SSL library sets the "security level" establishing a baseline
acceptable cryptographic strength, but otherwise, if your trusted
CAs use particular signature algorithms (per CA/B Forum practices,
...) then you'll accept the algorithms they use.

If some root CAs, or intermediate CAs to which they delegate authority,
employ weak algorithms, your best bet is to not trust those
CAs, they should not be using weak algorithms.

TLS is not the best place to regulate (Web) PKI.

At present libcrypto does not provide a fine-grained way to
restrict which signature algorithms are acceptable for a
particular invocation of X509_verify_cert(3).  The "best"
you can do is enable only the EVP algorithms you want when
when initializing the OpenSSL library.  I don't recall
whether leaving some EVP algorithms uninitialized is still
possible now that OpenSSL 1.1.x is doing automatic


More information about the openssl-users mailing list