Thanks for the response! -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, October 02, 2012 3:39 AM To: openssl-users@openssl.org Subject: Re: s_client signature_algorithm extension
On Mon, Oct 01, 2012, Abhiram Shandilya wrote: > Is there a way to add a specific signature_algorithm extension when > using s_client to connect to an SSL server? Why does s_client > negotiate > ECDH-RSA-AES128-SHA256 when I use the cipher ECDH-ECDSA-AES128-SHA256? > Is this because they are equivalent under TLS v1.2 when no > "signature_algorithm" extension is sent in the ClientHello message? Or > does s_client send all supported signature algorithms in the > extension? Thanks OpenSSL 1.0.1 sends all signature algorithms supported by the OpenSSL library and there is no way to change that using the API. OpenSSL HEAD (this might also be backported to 1.0.2 at some point) includes suppport for customising the signature algorithms sent so you can, for example, do: openssl s_client -sigalgs RSA+SHA512:ECDSA+SHA256 You wont get an ECDSA ciphersuite unless the server uses an ECDSA certificate: if it only has RSA you'll only get RSA ciphersuites. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
