On Wed, Feb 27, 2013 at 01:55:24AM +0530, Thulasi Goriparthi wrote: > > Interestingly enough, it is in fact SHA384 that fails with RSA-512. The > > client and server agree on: > > > > ECDHE-RSA-AES256-GCM-SHA384 > > > > Signature Hash type is not controlled by the CipherSuite and can be > dynamically chosen by Signer. First two bytes of signature(prepended) will > give us the information about the private key type and hash type that were > used to do the signing. These additional two bytes will also be received > along with signature for the verification.
Given: https://tools.ietf.org/html/rfc5246#section-7.4.8 The hash and signature algorithms used in the signature MUST be one of those present in the supported_signature_algorithms field of the CertificateRequest message. In addition, the hash and signature algorithms MUST be compatible with the key in the client's end-entity certificate. RSA keys MAY be used with any permitted hash algorithm, subject to restrictions in the certificate, if any. I took a look at the server response and saw that it offers: 0601 SHA-512 + RSA 0602 SHA-512 + DSA 0603 SHA-512 + ECDSA 0501 SHA-384 + RSA 0502 SHA-384 + DSA 0503 SHA-384 + ECDSA 0401 SHA-256 + RSA 0402 SHA-256 + DSA 0403 SHA-256 + ECDSA 0301 SHA-224 + RSA 0302 SHA-224 + DSA 0303 SHA-224 + ECDSA 0201 SHA-1 + RSA 0202 SHA-1 + DSA 0203 SHA-1 + ECDSA 0101 MD5 + RSA So almost certainly the (OpenSSL) client chose SHA-512 + RSA, and then fails, because while it supports the algorithm, it can't actually do SHA-512 with the given key. This is I think a bug. The client should choose the strongest digest compatible with its key. And of course, more importantly, the client should not use weak keys. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org