In case an ECDSA based server certificate with ECDHE based key exchange
is used, I've notice that the ServerKeyExchange message (always?)
signals that this message has been signed with ecdsa-secp521r1-sha512
(0x0603) [tested on current with TLS 1.2 with P-256 as well as with
P-521 server certificates -- the actual signature sizes differ as
expected but the signalling of the signature algorithm is identical in
both cases].
Example: in case the server certificate contains a P-256 based public
key, the actually provided signature for the ServerKeyExchange message
is ecdsa-secp256r1-sha256. However, the signature algorithm field
signals 0x(0603) [ecdsa-secp521r1-sha512] instead of 0x(0403)
[ecdsa-secp256r1-sha256].
Multiple TLS libraries seem to behave this way, but, according to RFCs,
I would expect the actually used signature algorithm to be provided with
the ServerKeyExchange message. Could someone please clarify if this is a
bug?
Slightly related: is there a good reason why libtls doesn't provide an
API call for explicitly configuring allowed signature algorithms (via
Signature Algorithms extension)? (e.g., in order to ensure that
ecdsa-sha1 0x(0203) is not included in the list).
Best regards
Andreas
