no suitable signature algorithm during handshake failure

Working on a migration for an application (OpenLDAP) where the old version
is linked to OpenSSL 1.0.2 to where the new version is linked to OpenSSL
1.1.1h.

Most client applications are working without issue.  However, one Windows
client application consistently fails to connect to the OpenSSL 1.1.1h
linked slapd with an error of no suitable signature algorithm during the
handshake.

Using wireshark, we can see the following signature algorithms are offered
from the client side (which uses TLSv1.2) for both the working and failing
servers:

0x0403 ECDSA-SHA256
0x0503 ECDSA-SHA384
0x0603 ECDSA-SHA512
0x0401 RSA-SHA256
0x0501 RSA-SHA384
0x0601 RSA-SHA512
0x0402 DSA-SHA256
0x0203 ECDSA-SHA1
0x0201 RSA-SHA1
0x0202 DSA-SHA1

If I test connecting on the command line to the server in question, I can
connect using any of RSA+SHA256, RSA+SHA384, and RSA+SHA512 from the above
signature algorithms without issue, like:

openssl s_client -connect <host:636> -tls1_2 -sigalgs RSA+SHA256

Any suggestions as to why the windows client is unable to negotiate with a
new version of OpenSSL?

The error in the log is:

error: 14201076:SSL routines:tls_choose_sigalg:no suitable signature
algorithm.

Thanks,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

On Thu, Jan 07, 2021 at 05:10:29PM -0800, Quanah Gibson-Mount wrote:

You're leaving out too much detail.  Post the full client hello decoded
by "tshark":

    https://www.spinics.net/lists/openssl-users/msg05623.html

> If I test connecting on the command line to the server in question, I can
> connect using any of RSA+SHA256, RSA+SHA384, and RSA+SHA512 from the above
> signature algorithms without issue, like:

What sort of certificate does the server have.  Are there any ssl module
settings in its openssl.cnf file?

--
    Viktor.

--On Thursday, January 7, 2021 8:56 PM -0500 Viktor Dukhovni
<[hidden email]> wrote:

> You're leaving out too much detail.  Post the full client hello decoded
> by "tshark":
>
>     https://www.spinics.net/lists/openssl-users/msg05623.html

Thanks Viktor.  Mainly, I wasn't sure what specific information would be
necessary.  Here's what wireshark shows (IP addresses obfuscated):

No.     Time           UTC                           Source
Length Destination           Protocol Info
      1 0.000000       2021-01-07 21:19:53.417328    255.255.255.223
68     255.255.255.198       TCP      51466→636 [SYN, ECN, CWR] Seq=0
Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1

Frame 1: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 255.255.255.223, Dst: 255.255.255.198
Transmission Control Protocol, Src Port: 51466, Dst Port: 636, Seq: 0, Len:
0

No.     Time           UTC                           Source
Length Destination           Protocol Info
      2 0.000081       2021-01-07 21:19:53.417409    255.255.255.198
68     255.255.255.223        TCP      636→51466 [SYN, ACK] Seq=0 Ack=1
Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128

Frame 2: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 255.255.255.198, Dst: 255.255.255.223
Transmission Control Protocol, Src Port: 636, Dst Port: 51466, Seq: 0, Ack:
1, Len: 0

No.     Time           UTC                           Source
Length Destination           Protocol Info
      3 0.000462       2021-01-07 21:19:53.417790    255.255.255.223
62     255.255.255.198       TCP      51466→636 [ACK] Seq=1 Ack=1
Win=2097408 Len=0

Frame 3: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 255.255.255.223, Dst: 255.255.255.198
Transmission Control Protocol, Src Port: 51466, Dst Port: 636, Seq: 1, Ack:
1, Len: 0
VSS-Monitoring ethernet trailer, Source Port: 0

No.     Time           UTC                           Source
Length Destination           Protocol Info
      4 0.004053       2021-01-07 21:19:53.421381    255.255.255.223
484    255.255.255.198       TLSv1.2  Client Hello

Frame 4: 484 bytes on wire (3872 bits), 484 bytes captured (3872 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 255.255.255.223, Dst: 255.255.255.198
Transmission Control Protocol, Src Port: 51466, Dst Port: 636, Seq: 1, Ack:
1, Len: 428
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 423
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 419
            Version: TLS 1.2 (0x0303)
            Random
                GMT Unix Time: Oct  2, 2014 19:22:16.000000000 MDT
                Random Bytes:
3226c3627d2ba7c967ce2cf097e616d9cbe45d1bb1cc21f4...
            Session ID Length: 32
            Session ID: bde8c16349a08e56a121b6e7aa1f317acf42186ba79b134d...
            Cipher Suites Length: 88
            Cipher Suites (44 suites)
                Cipher Suite: Unknown (0x1301)
                Cipher Suite: Unknown (0x1302)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
(0xc02e)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
(0xc02d)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
(0xc026)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
(0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
(0xc025)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 258
            Extension: server_name
                Type: server_name (0x0000)
                Length: 35
                Server Name Indication extension
                    Server Name list length: 33
                    Server Name Type: host_name (0)
                    Server Name length: 30
                    Server Name: directory.srv.TEST.ualberta.ca
            Extension: status_request
                Type: status_request (0x0005)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 32
                Elliptic Curves Length: 30
                Elliptic curves (15 curves)
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 22
                Signature Hash Algorithms Length: 20
                Signature Hash Algorithms (10 algorithms)
                    Signature Hash Algorithm: 0x0403
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0503
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0603
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0401
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0501
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0601
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0402
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Hash Algorithm: 0x0203
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0201
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0202
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: DSA (2)
            Extension: Unknown 50
                Type: Unknown (0x0032)
                Length: 22
                Data (22 bytes)
            Extension: status_request_v2
                Type: status_request_v2 (0x0011)
                Length: 9
                Certificate Status Type: OCSP Multi (2)
                Certificate Status Length: 4
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: Extended Master Secret
                Type: Extended Master Secret (0x0017)
                Length: 0
            Extension: Unknown 43
                Type: Unknown (0x002b)
                Length: 9
                Data (9 bytes)
            Extension: Unknown 45
                Type: Unknown (0x002d)
                Length: 2
                Data (2 bytes)
            Extension: Unknown 51
                Type: Unknown (0x0033)
                Length: 71
                Data (71 bytes)
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0

No.     Time           UTC                           Source
Length Destination           Protocol Info
      5 0.004070       2021-01-07 21:19:53.421398    255.255.255.198
56     255.255.255.223        TCP      636→51466 [ACK] Seq=1 Ack=429
Win=64128 Len=0

Frame 5: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 255.255.255.198, Dst: 255.255.255.223
Transmission Control Protocol, Src Port: 636, Dst Port: 51466, Seq: 1, Ack:
429, Len: 0

No.     Time           UTC                           Source
Length Destination           Protocol Info
      6 0.004332       2021-01-07 21:19:53.421660    255.255.255.198
63     255.255.255.223        TLSv1.2  Alert (Level: Fatal, Description:
Handshake Failure)

Frame 6: 63 bytes on wire (504 bits), 63 bytes captured (504 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 255.255.255.198, Dst: 255.255.255.223
Transmission Control Protocol, Src Port: 636, Dst Port: 51466, Seq: 1, Ack:
429, Len: 7
Secure Sockets Layer
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)



And here's the output from tshark:

0000  00 00 00 01 00 06 a2 01 00 00 01 6a 00 00 08 00   ...........j....
0010  45 02 00 34 27 36 40 00 7e 06 e2 fd FF FF FF df   E..4'6@.~.....a.
0020  FF FF FF c6 c9 0a 02 7c f9 79 74 f4 00 00 00 00   ..r....|.yt.....
0030  80 c2 20 00 22 1d 00 00 02 04 05 64 01 03 03 08   .. ."......d....
0040  01 01 04 02                                       ....

0000  00 04 00 01 00 06 00 50 56 a2 57 0e 00 00 08 00   .......PV.W.....
0010  45 00 00 34 00 00 40 00 40 06 48 36 FF FF FF c6   E..4..@.@.H6..r.
0020  FF FF FF df 02 7c c9 0a 23 63 fa 85 f9 79 74 f5   ..a..|..#c...yt.
0030  80 12 fa f0 f2 b4 00 00 02 04 05 b4 01 01 04 02   ................
0040  01 03 03 07                                       ....

0000  00 00 00 01 00 06 a2 01 00 00 01 6a 00 00 08 00   ...........j....
0010  45 00 00 28 27 37 40 00 7e 06 e3 0a FF FF FF df   E..('7@.~.....a.
0020  FF FF FF c6 c9 0a 02 7c f9 79 74 f5 23 63 fa 86   ..r....|.yt.#c..
0030  50 10 20 01 45 65 00 00 00 00 00 00 00 00         P. .Ee........

0000  00 00 00 01 00 06 a2 01 00 00 01 6a 00 00 08 00   ...........j....
0010  45 00 01 d4 27 38 40 00 7e 06 e1 5d FF FF FF df   E...'8@.~..]..a.
0020  FF FF FF c6 c9 0a 02 7c f9 79 74 f5 23 63 fa 86   ..r....|.yt.#c..
0030  50 18 20 01 49 33 00 00 16 03 03 01 a7 01 00 01   P. .I3..........
0040  a3 03 03 54 2d fa 48 32 26 c3 62 7d 2b a7 c9 67   ...T-.H2&.b}+..g
0050  ce 2c f0 97 e6 16 d9 cb e4 5d 1b b1 cc 21 f4 6d   .,.......]...!.m
0060  8d c3 96 20 bd e8 c1 63 49 a0 8e 56 a1 21 b6 e7   ... ...cI..V.!..
0070  aa 1f 31 7a cf 42 18 6b a7 9b 13 4d d3 aa 55 01   ..1z.B.k...M..U.
0080  d0 e3 a0 c9 00 58 13 01 13 02 c0 2c c0 2b c0 30   .....X.....,.+.0
0090  00 9d c0 2e c0 32 00 9f 00 a3 c0 2f 00 9c c0 2d   .....2...../...-
00a0  c0 31 00 9e 00 a2 c0 24 c0 28 00 3d c0 26 c0 2a   .1.....$.(.=.&.*
00b0  00 6b 00 6a c0 0a c0 14 00 35 c0 05 c0 0f 00 39   .k.j.....5.....9
00c0  00 38 c0 23 c0 27 00 3c c0 25 c0 29 00 67 00 40   .8.#.'.<.%.).g.@
00d0  c0 09 c0 13 00 2f c0 04 c0 0e 00 33 00 32 01 00   ...../.....3.2..
00e0  01 02 00 00 00 23 00 21 00 00 1e 64 69 72 65 63   .....#.!...direc
00f0  74 6f 72 79 2e 73 72 76 2e 54 45 53 54 2e 75 61   tory.srv.TEST.ua
0100  6c 62 65 72 74 61 2e 63 61 00 05 00 05 01 00 00   lberta.ca.......
0110  00 00 00 0a 00 20 00 1e 00 17 00 18 00 19 00 09   ..... ..........
0120  00 0a 00 0b 00 0c 00 0d 00 0e 00 16 01 00 01 01   ................
0130  01 02 01 03 01 04 00 0b 00 02 01 00 00 0d 00 16   ................
0140  00 14 04 03 05 03 06 03 04 01 05 01 06 01 04 02   ................
0150  02 03 02 01 02 02 00 32 00 16 00 14 04 03 05 03   .......2........
0160  06 03 04 01 05 01 06 01 04 02 02 03 02 01 02 02   ................
0170  00 11 00 09 00 07 02 00 04 00 00 00 00 00 17 00   ................
0180  00 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d   ..+............-
0190  00 02 01 01 00 33 00 47 00 45 00 17 00 41 04 04   .....3.G.E...A..
01a0  c8 eb 79 4d 02 24 a3 68 25 9d 5a 07 77 bf bb 06   ..yM.$.h%.Z.w...
01b0  c8 36 c0 96 1a 5c 88 e2 8a dd a9 17 4a 6c d6 c5   .6...\......Jl..
01c0  71 f5 f0 43 d7 d2 c1 67 95 d9 75 b9 4f f1 e2 8d   q..C...g..u.O...
01d0  40 23 d0 02 39 f7 83 f5 b8 05 75 a2 f3 3d ae ff   @#..9.....u..=..
01e0  01 00 01 00                                       ....

0000  00 04 00 01 00 06 00 50 56 a2 57 0e 00 00 08 00   .......PV.W.....
0010  45 00 00 28 9b 8c 40 00 40 06 ac b5 FF FF FF c6   E..(..@.@.....r.
0020  FF FF FF df 02 7c c9 0a 23 63 fa 86 f9 79 76 a1   ..a..|..#c...yv.
0030  50 10 01 f5 f2 a8 00 00                           P.......

0000  00 04 00 01 00 06 00 50 56 a2 57 0e 00 00 08 00   .......PV.W.....
0010  45 00 00 2f 9b 8d 40 00 40 06 ac ad FF FF FF c6   E../..@.@.....r.
0020  FF FF FF df 02 7c c9 0a 23 63 fa 86 f9 79 76 a1   ..a..|..#c...yv.
0030  50 18 01 f5 f2 af 00 00 15 03 03 00 02 02 28      P.............(


>> If I test connecting on the command line to the server in question, I
>> can  connect using any of RSA+SHA256, RSA+SHA384, and RSA+SHA512 from
>> the above  signature algorithms without issue, like:
>
> What sort of certificate does the server have.  Are there any ssl module
> settings in its openssl.cnf file?

no module settings for openssl.cnf.

For the server with the non-working cert, this is the x509 text output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ---
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
        Validity
            Not Before: Mar 26 17:49:45 2020 GMT
            Not After : Apr 30 21:21:03 2022 GMT
        Subject: C=CA, ST=Alberta, L=---
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:be:7a:f2:f6:aa:17:97:ec:06:d7:9f:ff:55:01:
                    4d:e9:97:50:99:3a:db:50:07:c2:7a:f5:23:b3:d1:
                    fe:f9:69:03:a8:74:d8:f3:6c:cc:e9:3b:ec:4e:48:
                    15:ac:d7:91:19:c7:e4:ad:0b:b0:52:58:4d:68:e8:
                    77:89:ae:ee:72:56:dd:72:8a:71:bf:de:0e:79:6d:
                    6d:e9:fb:a8:16:78:3f:eb:a0:a7:dc:ee:2e:b9:02:
                    94:86:8a:f9:ee:31:ab:39:11:aa:9e:83:12:d7:92:
                    5b:3e:99:45:44:dd:b4:4b:ca:4d:90:37:18:1c:1e:
                    a7:50:22:bf:c2:b5:0c:06:0b:c6:7e:81:0c:6a:43:
                    ee:69:f7:7b:3d:21:16:c6:3f:b2:33:a7:bd:15:0d:
                    df:c4:a4:c6:bb:3e:be:0e:6d:ef:2c:fa:1e:3c:0c:
                    1b:73:4f:80:79:8f:39:c9:38:93:c8:5d:b9:fb:0b:
                    62:86:b8:bd:31:fb:6f:1b:8b:55:0a:9d:4d:74:13:
                    6b:4e:90:6a:4b:56:71:d0:d4:97:b1:6c:dd:be:64:
                    ad:2b:f4:91:6a:9e:f8:73:5e:cb:b5:0b:e5:c9:c4:
                    85:a2:8b:2a:75:1f:b2:25:ad:4d:7c:21:41:76:8c:
                    e5:3e:28:7e:ac:39:ff:99:4f:66:e0:27:e5:b9:4f:
                    b6:5a:37:46:0d:5f:12:e3:f0:cc:04:28:48:f3:0c:
                    c5:32:76:99:40:58:c0:eb:ca:b5:22:00:c7:d3:93:
                    c4:9e:a6:20:25:ac:f8:9d:a0:02:c6:b6:23:02:e0:
                    77:3c:de:68:12:10:7f:9d:7e:70:f4:cf:49:b3:03:
                    9a:bc:20:87:85:b3:9f:27:08:02:16:f5:62:4b:b9:
                    ac:0a:2f:d9:de:f5:ef:64:51:2a:e1:5e:ed:10:15:
                    ff:91:c4:13:a6:ae:2f:88:9e:29:01:1d:f4:db:c1:
                    a4:e8:3c:74:97:59:2f:df:45:c1:2c:10:5e:b7:7c:
                    ab:ff:cc:a3:eb:a3:ec:e6:f7:e4:12:c2:1a:06:f2:
                    fb:ec:d4:50:f5:50:66:92:9d:96:e7:34:ab:8c:42:
                    dd:a8:ba:83:8a:9e:88:bd:0d:e7:fe:07:9f:50:c8:
                    db:34:e2:35:1a:10:2d:a5:b6:be:88:4c:f2:42:31:
                    35:83:b4:e2:9e:52:7f:db:5a:25:7d:82:f9:31:c0:
                    19:f3:bf:06:a3:44:ba:ff:6f:c2:3a:0c:72:82:f8:
                    30:ba:41:da:c0:49:0e:07:aa:83:c7:89:91:f3:02:
                    fc:1d:64:3b:7e:ec:60:9f:ef:21:bd:3f:e7:90:91:
                    73:60:48:98:08:28:6c:72:03:40:6b:1d:72:01:09:
                    97:f9:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            Authority Information Access:
                CA Issuers -
URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
                OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: https://www.globalsign.com/repository/
                Policy: 2.23.140.1.2.2

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.globalsign.com/gsrsaovsslca2018.crl

            X509v3 Subject Alternative Name:
                DNS:---
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:
 
keyid:F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB

            X509v3 Subject Key Identifier:
                ---
            1.3.6.1.4.1.11129.2.4.2: ---
    Signature Algorithm: sha256WithRSAEncryption
         99:3e:bd:18:22:63:b0:45:5a:9d:e0:9a:30:36:18:5c:c4:a6:
         72:d8:a7:b0:5f:c6:61:14:66:74:2b:0d:63:2c:57:04:05:a6:
         48:f7:19:09:3b:4e:20:70:54:92:30:77:b4:c0:3f:4d:d4:3f:
         fc:e0:ee:fb:5a:4b:7a:a9:3f:08:d7:f3:59:a9:10:0b:a7:88:
         10:4a:cd:a6:ae:8b:44:00:b7:bd:9e:29:ce:51:63:fe:82:ca:
         e2:4d:88:b0:ab:ff:dc:24:fe:a7:3e:7e:ea:78:3c:ea:fa:20:
         f0:37:72:33:cd:1d:fd:21:ae:35:d8:c8:f2:6c:e9:d6:88:d9:
         2e:6d:7b:46:49:be:7d:d4:ab:be:21:47:1a:95:ab:e2:31:e7:
         7f:50:19:41:22:18:2c:f0:53:7a:00:ca:c6:17:12:92:d8:ec:
         88:cf:87:ee:04:fd:89:71:61:08:4e:75:23:2b:6f:d6:ed:00:
         ae:9d:c2:16:b7:31:97:92:fc:88:86:e6:8a:3b:d8:19:42:f5:
         8b:52:03:0a:17:35:d2:e6:b1:f0:80:bf:fc:29:a7:42:72:67:
         9b:00:49:17:30:19:d2:6c:53:15:d2:73:1c:9f:5e:d7:c0:07:
         47:67:75:63:bf:4c:a6:32:22:f3:e3:5a:0b:15:ed:1c:56:79:
         78:d1:1d:63


For the working server,
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ---
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
        Validity
            Not Before: Aug  7 16:46:05 2019 GMT
            Not After : Oct 13 14:46:02 2021 GMT
        Subject: C=CA, ST=Alberta, L=---
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a0:cb:85:09:24:5f:d4:11:67:fc:4b:08:15:31:
                    14:8c:1f:01:ed:fe:e1:f3:b1:95:7a:31:a7:90:5e:
                    61:9d:47:fc:41:08:86:de:77:c3:18:18:d6:23:8d:
                    44:21:b1:f2:12:29:0d:85:e7:be:e2:ae:f8:de:ac:
                    a6:5c:36:f4:fc:be:cf:eb:28:a5:bf:9b:5b:32:c7:
                    96:1f:c6:41:7b:19:0f:39:ec:00:b2:50:f4:de:64:
                    33:55:71:81:ab:99:00:14:32:d9:65:9c:9b:ba:52:
                    a5:62:80:75:f4:ae:ed:65:70:77:ca:76:4d:b5:94:
                    ab:89:88:ef:2e:2c:db:54:15:e7:5d:05:c4:bb:46:
                    df:1b:6d:e2:60:70:f0:ea:08:d1:92:4f:5f:76:d0:
                    64:7a:2f:f4:a0:19:c8:d1:20:e6:59:8a:a1:90:76:
                    70:0c:48:5f:32:b7:66:77:c4:de:08:1c:9d:0c:f4:
                    f9:e1:88:02:90:c1:6f:46:c4:88:ae:91:18:08:04:
                    5f:e4:c6:ce:d6:f2:c1:23:31:61:7c:2c:cf:dc:2c:
                    17:b0:b5:b4:a9:24:c3:a5:c5:c9:04:38:63:e6:88:
                    79:88:0c:66:f5:f8:b5:d5:7f:b9:de:97:6d:2c:7d:
                    5b:33:ba:52:30:9f:0b:d7:16:8d:0c:69:36:5a:a2:
                    4c:41:99:c6:82:d4:cf:29:6e:a5:c0:91:c3:0a:6b:
                    57:6d:f3:ba:d4:74:d0:59:3b:a0:f2:79:18:54:8e:
                    f8:4f:18:75:7b:d9:d5:a9:56:c8:af:8a:5f:ce:93:
                    a7:c3:88:53:03:54:6d:4d:2a:36:d9:ee:0d:6d:9b:
                    72:6a:f3:d2:81:b3:0c:ad:1b:f8:0c:f6:1a:c0:bb:
                    23:f3:55:92:8d:31:bc:01:75:d1:f0:d9:cd:41:3a:
                    1f:d9:7a:3b:6c:17:e4:c8:91:eb:81:82:7f:01:1e:
                    f2:cf:77:44:e2:8f:97:d9:c6:f1:99:7a:58:7c:c1:
                    c1:9c:43:c6:89:9f:2c:ec:67:33:ef:66:36:c7:b7:
                    b9:db:f2:b5:f9:e7:6e:84:ec:44:95:e6:23:f6:fa:
                    d0:91:69:72:57:a1:23:8d:56:76:a7:5f:f2:f1:4a:
                    a6:d0:70:c5:d1:e1:4c:5f:c8:6c:34:94:42:ed:f6:
                    c8:36:db:5b:15:7f:4c:66:50:dc:d2:8c:45:5d:fc:
                    dd:67:20:e8:55:f3:84:5d:88:18:c8:c4:1b:c6:d6:
                    de:d0:dd:38:fb:4c:ac:68:9d:73:5e:52:c6:cf:50:
                    ca:1b:e9:b7:f7:50:c9:a5:27:df:d6:09:18:72:a3:
                    5a:5f:47:22:d5:e1:56:ae:9c:20:cd:c3:58:e6:ae:
                    b7:24:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            Authority Information Access:
                CA Issuers -
URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
                OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: https://www.globalsign.com/repository/
                Policy: 2.23.140.1.2.2

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.globalsign.com/gsrsaovsslca2018.crl

            X509v3 Subject Alternative Name:
                DNS:---
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:
 
keyid:F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB

            X509v3 Subject Key Identifier:
                ---
            1.3.6.1.4.1.11129.2.4.2: ---
    Signature Algorithm: sha256WithRSAEncryption
         5a:80:48:10:86:0d:f9:66:d3:bc:7b:35:a8:7b:20:8c:6c:c9:
         ca:ad:62:72:24:20:35:59:ba:aa:38:4e:c0:89:75:b9:ce:3d:
         b2:61:35:e9:4e:d8:bc:7b:8a:ee:23:2c:cc:ae:0a:12:2d:bc:
         27:c5:f6:13:3c:5d:1a:d9:83:4c:7c:bc:4e:f7:fd:f4:cf:77:
         3b:f1:be:6c:be:c0:8b:0c:4f:f2:3f:1f:c8:8d:8e:28:a2:af:
         17:bf:63:c0:60:25:96:b3:65:4c:8a:7e:6a:c1:8f:bc:48:b6:
         e7:85:89:a5:d2:96:98:c9:62:53:fd:12:1c:37:ce:b2:de:54:
         78:37:9a:a7:c3:65:1d:bd:65:bd:55:ac:72:bc:4a:43:41:ee:
         37:8a:e9:13:9e:56:34:35:f1:e0:72:0d:67:1f:52:ee:81:8d:
         86:d6:62:86:19:cd:5e:88:1e:7e:d0:c1:30:1b:39:bc:cf:b2:
         81:f3:73:af:72:6d:8a:fb:be:5c:c2:de:10:f5:ae:10:e4:d6:
         6b:cd:04:10:55:f2:81:71:a5:bb:6a:fc:b2:05:91:9a:33:2e:
         74:85:e2:58:78:56:a8:76:89:d6:05:38:dc:58:25:70:e0:49:
         44:b8:45:97:c5:42:c0:3c:ff:d8:a5:7d:60:b6:dd:fc:3d:69:
         d6:d1:31:82


Thanks!

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

On Fri, Jan 08, 2021 at 12:05:26PM -0800, Quanah Gibson-Mount wrote:

> >     https://www.spinics.net/lists/openssl-users/msg05623.html
>
> Thanks Viktor.  Mainly, I wasn't sure what specific information would be
> necessary.  Here's what wireshark shows (IP addresses obfuscated):

It would be really helpful (also to you) if you install a more
up-to-date version of tshark, or copy the pcap file to a machine
that already has one.  The version used below fails to understand
many relevant modern TLS extensions/features.

See annotations added:

The client almost certainly offered TLS 1.3 (via supported_versions),
but failed to offer a TLS 1.3-compatible RSA signature algorithm.

    https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme

Among the signature algorithms offered by the client:

None were PSS, and RFC 8446 says:

   In addition, the signature algorithm MUST be compatible with the key
   in the sender's end-entity certificate.  RSA signatures MUST use an
   RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5
   algorithms appear in "signature_algorithms".  The SHA-1 algorithm
   MUST NOT be used in any signatures of CertificateVerify messages.

The certificate does not require PSS, but TLS 1.3 does.

--
    Viktor.

--On Friday, January 8, 2021 4:44 PM -0500 Viktor Dukhovni
<[hidden email]> wrote:

Hi Viktor,

I've relayed this to our client. ;)


I ran their pcap through my own updated version of tshark, and indeed:

            Extension: status_request_v2 (len=9)
                Type: status_request_v2 (17)
                Length: 9
                Certificate Status List Length: 7
                Certificate Status Type: OCSP Multi (2)
                Certificate Status Length: 4
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: supported_versions (len=9)
                Type: supported_versions (43)
                Length: 9
                Supported Versions length: 8
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment
(psk_dhe_ke) (1)
            Extension: key_share (len=71)
                Type: key_share (51)
                Length: 71
                Key Share extension
                    Client Key Share Length: 69
                    Key Share Entry: Group: secp256r1, Key Exchange length:
65
                        Group: secp256r1 (23)
                        Key Exchange Length: 65
                        Key Exchange:
04524e56171cf3e75903228cf4cc02687df2698bd43d167f…


> The certificate does not require PSS, but TLS 1.3 does.

Great, thanks so much for the help! I learned some along the way, which is
always a good thing. :)

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>