Philip Martin <phi...@codematters.co.uk> writes: > Philip Martin <phi...@codematters.co.uk> writes: > >> In Marc's case getting a new server cert that is not RSASSA-PSS might be >> the best solution. > > r1822996 fixes the x509 parser on trunk. It doesn't mean that the > client will be able to verify the RSASSA-PSS certs (you would need an > OpenSSL fix for that) but it does allow a JavaHL client to accept the > failure to verify.
Another data point: the behaviour varies between openssl 1.0 and openssl 1.1. With openssl 1.1 the apache server will not even start when using an RSASSA-PSS cert [Sat Feb 03 10:18:03.858279 2018] [ssl:emerg] [pid 2717:tid 139629607192448] SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak With openssl 1.0 the server does start. I'm using openssl 1.1 to generate the cert in both cases. A client using openssl 1.0 will connect to a server serving the RSASSA-PSS cert. Clients using openssl 1.1 fail to verify cert. The underlying openssl 1.1 error appears to be $ openssl s_client -connect localhost:8887 -CAfile apache2/ssl/ca-cert.pem ... Verify return code: 68 (CA signature digest algorithm too weak) This suggests that RSASSA-PSS is obsolete, but as I mentioned earlier in the thread there are recent changes to the openssl project adding/extending RSASSA-PSS support as part of TLS 1.3: https://github.com/openssl/openssl/issues/2878 -- Philip
