On 20/06/2018 23:07, Viktor Dukhovni wrote:
On Jun 20, 2018, at 3:44 PM, Jakob Bohm wrote:
I believe there is a fundamental concern, impossible to handle sanely
at the CA policy level, that a CA may reasonably have certificate
hierarchies targeting people with different maximum security
> On Jun 20, 2018, at 3:44 PM, Jakob Bohm wrote:
>
> I believe there is a fundamental concern, impossible to handle sanely
> at the CA policy level, that a CA may reasonably have certificate
> hierarchies targeting people with different maximum security strength
> and/or living at different
On 20/06/2018 19:31, Viktor Dukhovni wrote:
If some root CAs, or intermediate CAs to which they delegate authority,
employ weak algorithms, your best bet is to not trust those
CAs, they should not be using weak algorithms.
TLS is not the best place to regulate (Web) PKI.
I believe there is a
> On Jun 20, 2018, at 12:47 PM, Matt Caswell wrote:
>
> An OpenSSL client will enforce that the ServerKeyExchange signature is
> consistent with the sig algs that it sent. It does *not* enforce that
> the server's certificate signatures are consistent with those sig algs.
> I don't think
On 20/06/18 14:51, Devang Kubavat wrote:
> Hi Matt,
> Thanks for reply.
>
> I also used both functions SSL_CTX_set1_sigalgs_list()
> SSL_CTX_set1_client_sigalgs_list()
> but same thing happens.
> I set client side “RSA+SHA512” using SSL_CTX_set1_sigalgs_list() but still it
> is accepting
Hi Matt,
Thanks for reply.
I also used both functions SSL_CTX_set1_sigalgs_list()
SSL_CTX_set1_client_sigalgs_list()
but same thing happens.
I set client side “RSA+SHA512” using SSL_CTX_set1_sigalgs_list() but still it
is accepting sever certificate which has signature algorithm
On 20/06/18 09:44, Devang Kubavat wrote:
> Hi all,
>
> I set the signature algorithm using in client,
>
> /* signature algorithm list */
>
> (void)SSL_CTX_set1_client_sigalgs_list(ctx, “RSA+SHA512”);
>
>
>
> Expected behavior: client only accepts server certificate which has
> signature
Hi all,
I set the signature algorithm using in client,
/* signature algorithm list */
(void)SSL_CTX_set1_client_sigalgs_list(ctx, "RSA+SHA512");
Expected behavior: client only accepts server certificate which has signature
algorithm SHA512withRSAencryption during TLS handshake.
But, here even