no suitable signature algorithm during handshake failure

Quanah Gibson-Mount quanah at
Fri Jan 8 01:10:29 UTC 2021

Working on a migration for an application (OpenLDAP) where the old version 
is linked to OpenSSL 1.0.2 to where the new version is linked to OpenSSL 

Most client applications are working without issue.  However, one Windows 
client application consistently fails to connect to the OpenSSL 1.1.1h 
linked slapd with an error of no suitable signature algorithm during the 

Using wireshark, we can see the following signature algorithms are offered 
from the client side (which uses TLSv1.2) for both the working and failing 

0x0403 ECDSA-SHA256
0x0503 ECDSA-SHA384
0x0603 ECDSA-SHA512
0x0401 RSA-SHA256
0x0501 RSA-SHA384
0x0601 RSA-SHA512
0x0402 DSA-SHA256
0x0203 ECDSA-SHA1
0x0201 RSA-SHA1
0x0202 DSA-SHA1

If I test connecting on the command line to the server in question, I can 
connect using any of RSA+SHA256, RSA+SHA384, and RSA+SHA512 from the above 
signature algorithms without issue, like:

openssl s_client -connect <host:636> -tls1_2 -sigalgs RSA+SHA256

Any suggestions as to why the windows client is unable to negotiate with a 
new version of OpenSSL?

The error in the log is:

error: 14201076:SSL routines:tls_choose_sigalg:no suitable signature 



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

More information about the openssl-users mailing list