On Wed, Feb 27, 2013 at 01:55:24AM +0530, Thulasi Goriparthi wrote:
> > Interestingly enough, it is in fact SHA384 that fails with RSA-512. The
> > client and server agree on:
> >
> > ECDHE-RSA-AES256-GCM-SHA384
> >
>
> Signature Hash type is not controlled by the CipherSuite and can be
> dynamically chosen by Signer. First two bytes of signature(prepended) will
> give us the information about the private key type and hash type that were
> used to do the signing. These additional two bytes will also be received
> along with signature for the verification.
Given:
https://tools.ietf.org/html/rfc5246#section-7.4.8
The hash and signature algorithms used in the signature MUST be
one of those present in the supported_signature_algorithms field
of the CertificateRequest message. In addition, the hash and
signature algorithms MUST be compatible with the key in the
client's end-entity certificate. RSA keys MAY be used with any
permitted hash algorithm, subject to restrictions in the
certificate, if any.
I took a look at the server response and saw that it offers:
0601 SHA-512 + RSA
0602 SHA-512 + DSA
0603 SHA-512 + ECDSA
0501 SHA-384 + RSA
0502 SHA-384 + DSA
0503 SHA-384 + ECDSA
0401 SHA-256 + RSA
0402 SHA-256 + DSA
0403 SHA-256 + ECDSA
0301 SHA-224 + RSA
0302 SHA-224 + DSA
0303 SHA-224 + ECDSA
0201 SHA-1 + RSA
0202 SHA-1 + DSA
0203 SHA-1 + ECDSA
0101 MD5 + RSA
So almost certainly the (OpenSSL) client chose SHA-512 + RSA, and
then fails, because while it supports the algorithm, it can't
actually do SHA-512 with the given key. This is I think a bug. The
client should choose the strongest digest compatible with its key.
And of course, more importantly, the client should not use weak keys.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
