Question about handshake error

Viktor Dukhovni openssl-users at
Wed Mar 11 15:08:11 UTC 2020

On Wed, Mar 11, 2020 at 12:15:32PM +0000, Matt Caswell wrote:

> I would recommend that the server operator removes both copies of the
> root cert from its cert chain. Hopefully this should then mean that it
> does not see the SHA1 root and will therefore continue the handshake. If
> you can't get the server operator to make this change then, as a
> workaround, you'd have to change your application configuration to add
> back in the missing sigalgs and switch the security level to 0.

The signature algorithm security level is not expected to be enforced
on self-signed certificates (root CAs).  How is it happening here?


More information about the openssl-users mailing list