On Tue, Mar 24, 2015, ???????????? ?????????????????? wrote: > I use the openssl library in the project and use client certificate > verification. When using protocol TLSv1.2 I have a problem with data > encryption, using the private key of the client certificate. This is due to > the fact that the certificate validation server selected encryption > algorithm that is not supported by the crypt used to encrypt the signature > on the client certificate (failure in method capi_rsa_sign of e_capi.c > file). > Now I have corrected the behavior as follows: > - the method ssl3_send_client_certificate after selecting a client > certificate makes cleaning pkeys [i].digest > - the method ssl_set_cert if pkeys [i] .digest not specified, specify it. > > After that I worked with an application protocol TLSv1.2 > > Is this correct or am I wrong to fix the library using openssl?
There are two ways to address this. One is to fix e_capi.c to use more digest algorithms (though this wont help if the underlying CSP doesn't support them). There is a fix in RT for this but it isn't in OpenSSL itself yet. The other requires OpenSSL 1.0.2 where you can set a list of supported signature algorithms for client authentication and OpenSSL will only use those common to server and client for client authentication. For that latter solution you can use SSL_CTX_set1_client_sigalgs_list() which takes a string argument in the same format as that used for the SignatureAlgorithms command of SSL_CONF: "The value argument should be a colon separated list of signature algorithms in order of decreasing preference of the form algorithm+hash. algorithm is one of RSA, DSA or ECDSA and hash is a supported algorithm OID short name such as SHA1, SHA224, SHA256, SHA384 of SHA512. Note: algorithm and hash names are case sensitive." Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
