Hi,

On Fri, 1 Jul 2016 15:29:53 +0200
"pepone.onrez" <pepone.on...@gmail.com> wrote:

> After upgrade my software to use OpenSSL-1.1 one of the test is
> failing, the test in question client and server are configured to use
> DSA certificates. The server is configured to request a client
> certificate.

I can't answer your question, but I have one to you: Why do you use DSA?

There was a discussion in the TLS working group a while ago about DSA
support and there was overwhelming support to remove it in TLS 1.3.
The rationale was basically that DSA in TLS is rarely used at all, is
often used with insecure key sizes (1024 bit) and has a severe weakness
when it comes to bad random numbers. On top of that it has basically no
advantage over the much more widely used RSA. The original reason
(in the early 90s) to use DSA over RSA were patent issues, but those are
long expired.

So my (and I think most others) impression is that DSA in TLS is as
dead as it can be and probably the most sane move for OpenSSL would be
to just remove it. Given that I'd like to know why you seem to have
chosen to still use DSA.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: BBB51E42

Attachment: pgppWLrwbnI5W.pgp
Description: OpenPGP digital signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to