Regarding to disable some signature algorithm in client hello message

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding to disable some signature algorithm in client hello message

Devang Kubavat

Hi,

 

I want to disable the SHA1 hash algorithm in Extension: signature algorithm client hello message.

 

I have used

      /* the signature algorithms list */

      const char signAlgo[] = "RSA+SHA256";

      (void)SSL_CTX_set1_client_sigalgs_list(ctx, signAlgo);

 

But, still client is setting all algorithms. Is there any other way to set signature algorithm to SSL_CTX or SSL ?

 

 

Best Regards,
Devang

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding to disable some signature algorithm in client hello message

Murugesh
Hi,

SSL_CTX_set1_client_sigalgs_list - is the correct method for this purpose.
Just try for checking return value of this function. On failure it returns 0.
Also try SSL_CTX_set1_client_sigalgs_list (ctx,  "RSA+SHA256");

Thanks,
Murugesh P.


On 6/19/18, Devang Kubavat <[hidden email]> wrote:

> Hi,
>
> I want to disable the SHA1 hash algorithm in Extension: signature algorithm
> client hello message.
>
> [cid:image003.jpg@01D407C3.1A227530]
>
> I have used
>       /* the signature algorithms list */
>       const char signAlgo[] = "RSA+SHA256";
>       (void)SSL_CTX_set1_client_sigalgs_list(ctx, signAlgo);
>
> But, still client is setting all algorithms. Is there any other way to set
> signature algorithm to SSL_CTX or SSL ?
>
>
> Best Regards,
> Devang
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding to disable some signature algorithm in client hello message

Matt Caswell-2
In reply to this post by Devang Kubavat


On 19/06/18 07:16, Devang Kubavat wrote:

> Hi,
>
>  
>
> I want to disable the SHA1 hash algorithm in Extension: signature
> algorithm client hello message.
>
>  
>
> I have used
>
>       /* the signature algorithms list */
>
>       constcharsignAlgo[] = "RSA+SHA256";
>
>       (void)SSL_CTX_set1_client_sigalgs_list(ctx, signAlgo);
>
>  
>
> But, still client is setting all algorithms. Is there any other way to
> set signature algorithm to SSL_CTX or SSL ?


The function "SSL_CTX_set1_client_sigalgs_list()" is for setting
signature algorithms related to *client authentication*. This is not the
same as the sig algs sent in the ClientHello. For that you need to use
SSL_CTX_set1_sigalgs_list().

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding to disable some signature algorithm in client hello message

OpenSSL - User mailing list
In reply to this post by Murugesh
I tried to modify " tls12_sigalgs" list under t1_lib.c in OpenSSL 1.0.2x version to restrict a bunch of signature algorithms from being proposed during Client hello message.
That did work.

Thanks.
Srivalli

On 6/19/18, 5:36 AM, "openssl-users on behalf of murugesh pitchaiah" <[hidden email] on behalf of [hidden email]> wrote:

    Hi,
   
    SSL_CTX_set1_client_sigalgs_list - is the correct method for this purpose.
    Just try for checking return value of this function. On failure it returns 0.
    Also try SSL_CTX_set1_client_sigalgs_list (ctx,  "RSA+SHA256");
   
    Thanks,
    Murugesh P.
   
   
    On 6/19/18, Devang Kubavat <[hidden email]> wrote:
    > Hi,
    >
    > I want to disable the SHA1 hash algorithm in Extension: signature algorithm
    > client hello message.
    >
    > [cid:image003.jpg@01D407C3.1A227530]
    >
    > I have used
    >       /* the signature algorithms list */
    >       const char signAlgo[] = "RSA+SHA256";
    >       (void)SSL_CTX_set1_client_sigalgs_list(ctx, signAlgo);
    >
    > But, still client is setting all algorithms. Is there any other way to set
    > signature algorithm to SSL_CTX or SSL ?
    >
    >
    > Best Regards,
    > Devang
    >
    >
    --
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users