Removing Extensions from Client Hello Header
Benjamin Kaduk
bkaduk at akamai.com
Tue Nov 12 22:25:18 UTC 2019
On Tue, Nov 12, 2019 at 03:08:19PM -0700, Phil Neumiller wrote:
> I find the comment below about TLS 1.3 troubling.
[...]
> * /*
> * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test
> it
> * for TLSv1.2 for now until we add a new API.
> */*
> SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
>
> if (testctx) {
> int ret;
>
> if (curr->list != NULL)
> ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
> else
> ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
I don't.
>From SSL_CTX_set1_sigalgs.pod:
% The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also
% be used with the B<_list> forms of the API.
The TLS 1.3 schemes don't decompose into SIG+HASH, so this is just a constraint
inherent to the old API, not a bug.
-Ben
More information about the openssl-users
mailing list