Hi,
I'd like to submit bug report for OpenSSL version 1.x and up, all
platforms supporting ECDSA in TLS handshake
in version 1.0.0 there were new digest algorithms introduced
NID_ecdsa_with_SHA224
NID_ecdsa_with_SHA256
NID_ecdsa_with_SHA384
NID_ecdsa_with_SHA512
in addition to NID_ecdsa_with_SHA1
When certificate with one of new signature algorithms used in
handshake, it failed with error 0x1408a0c1 'no shared cipher'.
The reason is that ssl_set_cert_masks() function only checks for
NID_ecdsa_with_SHA1 algorithm
ssl_lib.c (1.0.0-beta5) line #1993
if (signature_nid == NID_ecdsa_with_SHA1)
I'd suggest replace it with
if ((signature_nid == NID_ecdsa_with_SHA1) ||
(signature_nid == NID_ecdsa_with_SHA224) ||
(signature_nid == NID_ecdsa_with_SHA256) ||
(signature_nid == NID_ecdsa_with_SHA384) ||
(signature_nid == NID_ecdsa_with_SHA512))
Another place is in function ssl_check_srvr_ecc_cert_and_alg()
ssl_lib.c (1.0.0-beta5) line #2077
if (signature_nid != NID_ecdsa_with_SHA1)
replace with
if ((signature_nid != NID_ecdsa_with_SHA1) &&
(signature_nid != NID_ecdsa_with_SHA224) &&
(signature_nid != NID_ecdsa_with_SHA256) &&
(signature_nid != NID_ecdsa_with_SHA384) &&
(signature_nid != NID_ecdsa_with_SHA512))
Of course it's might be even better to check for ECDSA generally,
but I don't know how to make it simple (convert it to string and
search "ECDSA"?)
Thanks,
Alex Tyshlek
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
