> [fol...@cisco.com - Sat Mar 17 14:55:45 2012]: > > Using "openssl s_server" as the application with libcrypto 1.0.1, it > appears the TLS 1.2 behavior may not be compliant with RFC 5246. Page > 49 of RFC 5246 states: > > If the client provided a "signature_algorithms" extension, then all > certificates provided by the server MUST be signed by a > hash/signature algorithm pair that appears in that extension. > > Using the certificate attached to this email, which is signed using > RSA/SHA-512, s_server continues to establish the TLS session even though > the client has not offered RSA/SHA-512 in the ClientHello signature > algorithms extension. Maybe I'm misinterpreting the specification, but > shouldn't the sever fail this handshake since the client has indicated > it doesn't support RSA/SHA-512? > >
Yes OpenSSL currently doesn't obey that restriction in common with many other implementations. There has been a discussion about this in the tls mailing lists. This will be fixed at some point but full support requires some non-trivial revision of certificate handling. Currently OpenSSL supports one chain per EE key type and fully supporting that would potentially need support for many different chains for each key type. Very few existing applications would support that (possibly none...). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org