On Fri, Feb 26, 2016, Nounou Dadoun wrote: > I've extracted the certificates from the exchange to verify that the (tlsv1) > successful handshake and the (tlsv1.2) failed handshake certificates are > identical (they are) and I've also checked to make sure that the CA > certificate that the server has for signature verification is the same as the > CA certificate handed over by the client in the exchange (it is). > > I've also used the command line openssl verify to verify the certificate > against the CA: > "client_cert_success.pem: OK" > > However it succeeds in TLSv1 and fails in TLSv1.2 (the one line change noted > below). > > I've now attached the certificates for quick reference - can anyone see what > might be causing the different behavior between TLSv1 and TLSv1.2? >
The signature TLS uses for Client auth is different in TLS 1.2. For TLS < 1.2 the TLS signature is a combined MD5+SHA1 form for RSA. For TLS 1.2 it is the more standard DigestInfo signature which can use other algorithms such as SHA512 or SHA256. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
