When connecting to a virtual, SNI defined host openssl selects SHA1 digest instead of SHA512, as it does for the default host.
Steps to Reproduce: 1. openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch 2. openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -subj /CN=server -nodes -batch 3. openssl s_server -key localhost.key -cert localhost.crt -key2 server.key -cert2 server.crt -servername server In other console, using OpenSSL 1.0.2: 1. openssl s_client -connect localhost:4433 </dev/null 2>/dev/null| grep 'Peer signing digest' 2. openssl s_client -connect localhost:4433 -servername server </dev/null 2>/dev/null| grep 'Peer signing digest' Actual results: 1. Peer signing digest: SHA512 2. Peer signing digest: SHA1 Expected results: 1. Peer signing digest: SHA512 2. Peer signing digest: SHA512 See also: https://bugzilla.redhat.com/show_bug.cgi?id=1150033 I've investigated this a little and found that the second SSL context that is used when the server receives the servername extension does not have full copy of settings from the main context. Namely the tls1_process_sigalgs() is not properly called for it. I am not sure what would be the proper fix though. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
