On Tue, Nov 13, 2018 at 7:11 AM Stuart Henderson <s...@spacehopper.org> wrote: > > On 2018/11/13 14:41, Sebastien Marie wrote: > > On Tue, Nov 13, 2018 at 11:28:23AM +0000, Stuart Henderson wrote: > > > On 2018/11/13 09:37, Sebastien Marie wrote: > > > > Hi, > > > > > > > > Moving the thread to bugs@ has it seems to be an issue with libssl. > > > > > > > > When connecting with nc(1) to outlook.office365.com:993, on older system > > > > is able to connect and verify the connection. On a recent system, the > > > > handshake failed due to "invalid digest length". > > > > another regression with www.videolan.org . it isn't the exact same error > > "wrong signature type". > > > > on snapshot: OpenBSD 6.4-current (GENERIC.MP) #437: Mon Nov 12 20:06:01 MST > > 2018 > > > > $ nc -vvc www.videolan.org 443 > > Connection to www.videolan.org 443 port [tcp/https] succeeded! > > nc: tls handshake failed (handshake failed: error:14009172:SSL > > routines:CONNECT_CR_KEY_EXCH:wrong signature type) > > > > And this one is from ssl_sigalgs.c 1.8 "Fix pkey_ok to be less strange" >
I have worked around this, for now, however this is NOT a bug. The key they are using for the accepted sigalg does not use the right curve, So when we check for the curve, we should reject this signature -> this site is doing it wrong. I have disabled the check for now. (meaning we will verify with the wrong curve) and we'll revisit later depending on how much of a tire fire related sites are.