> On Apr 16, 2018, at 6:00 AM, Matt Caswell <m...@openssl.org> wrote: > > That's not entirely true. This works: > > $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0 > $ openssl s_client -no_tls1_3 -cipher ALL@SECLEVEL=0 > > This doesn't: > > $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0 > $ openssl s_client -cipher ALL@SECLEVEL=0 > > 139667082474432:error:14201076:SSL routines:tls_choose_sigalg:no > suitable signature algorithm:ssl/t1_lib.c:2484: > > We do not allow DSA certs in TLSv1.3.
It is largely time we did not allow them in TLS 1.2 either, nobody uses them, but perhaps "nobody" == USG? -- Viktor. _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project