Handling signature_algorithm extension on TLS1.3 server

Raja Ashok rashok.svks at gmail.com
Thu Jun 6 15:15:57 UTC 2019


Currently has_usable_cert() function is called on tls_choose_sigalg() to
find out the suitable certificate available. But currently rsa_pkcs1_xxx
and rsa_pss_rsae_xxx certs are stored on same index SSL_PKEY_RSA. Because
of this it may ends in choosing rsa_pkcs1_xxx cert for rsa_pss_rsae_xxx
extension. Is this behaviour correct ?

As per my understanding a new index should be created like
SSL_PKEY_RSA_PSS_RSAE_SIGN for rsa_pss_rsae_xxx type certs.

Raja Ashok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190606/88733d16/attachment.html>

More information about the openssl-users mailing list