Handling signature_algorithm extension on TLS1.3 server

Viktor Dukhovni openssl-users at dukhovni.org
Sat Jun 8 00:20:26 UTC 2019

> On Jun 7, 2019, at 12:07 PM, Hubert Kario <hkario at redhat.com> wrote:
> OTOH, the practice in TLS 1.2, and behaviour codified in TLS 1.3 RFC, is that 
> if you have just one chain, give it to client and let it sort out if it likes 
> it or not

Absolutely.  The text in RFC5246 is a specification overreach from TLS into
X.509 that is counterproductive in practice.  We should not implement the
part of RFC5246 that would have the server fail the handshake when its
certificate chain has *potentially* unsupported signatures.  Deciding
whether the chain is OK (or even looked at all) is up to the client.


More information about the openssl-users mailing list