RSA signed ECDSA certificate still uses ECDSA for authentication

Viktor Dukhovni openssl-users at
Fri Aug 26 20:36:14 UTC 2022

On Fri, Aug 26, 2022 at 01:28:21PM -0700, radiatejava wrote:

> >> and then the same ECDSA key verified by the CA to sign a hash over the transcript of the handshake itself
> Which part of the TLS handshake you are talking about? Are you talking
> about the three messages from the client to server messages that are -
> ClientKeyExchange, ChangeCipherSpec, ClientFinished? In my
> understanding, ClientKeyExchange, ChangeCipherSpec are not encrypted
> and the last one ClientFinished is encrypted but using the keys
> derived from ECDHE key exchange algorithm. Is that not right?

Other than with TLS 1.0--1.2 anon-DHE and anon-ECDHE ciphersuites, the
server key exchange message parameters are signed with the server's
public key.  If a client certificate is solicited, the client's
ClientVerify message is signed with the client's public key.

I am not aware of any anon-DHE or anon-ECDHE ciphers for TLS 1.3.  I'd
advocate for these to be added (for unauthenticated opportunistic TLS),
if I did not suspect that there would be little support for them at


More information about the openssl-users mailing list