On Mon, Oct 01, 2012, Abhiram Shandilya wrote: > Is there a way to add a specific signature_algorithm extension when using > s_client to connect to an SSL server? Why does s_client negotiate > ECDH-RSA-AES128-SHA256 when I use the cipher ECDH-ECDSA-AES128-SHA256? Is > this because they are equivalent under TLS v1.2 when no > "signature_algorithm" extension is sent in the ClientHello message? Or does > s_client send all supported signature algorithms in the extension? Thanks
OpenSSL 1.0.1 sends all signature algorithms supported by the OpenSSL library and there is no way to change that using the API. OpenSSL HEAD (this might also be backported to 1.0.2 at some point) includes suppport for customising the signature algorithms sent so you can, for example, do: openssl s_client -sigalgs RSA+SHA512:ECDSA+SHA256 You wont get an ECDSA ciphersuite unless the server uses an ECDSA certificate: if it only has RSA you'll only get RSA ciphersuites. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
