TLS 1.2 Signature Algorithms ClientHello extension

Heit, James R James.Heit at
Mon Dec 19 21:19:39 CET 2011


I have been working on the implementation of the TLS 1.2 protocol.  TLS 1.2 requires servers to handle the Signature Algorithms extension to the ClientHello handshake message.  My reading of RFC 5246 ( indicates that if client presents the extension (it can be omitted) it should include all hash/signature algorithm pairs the client is willing  to process.  While running the latest version of FileZilla, which uses GnuTLS 2.10.4, the only proposed Signature Algorithm is {SHA512,RSA}.  If I stick with the RFC, the handshake will fail, as my {SHA1,RSA} signed certificate is not in the list.
I'm not saying Microsoft is always right (in this case I think they are), but IE8/Win7 sends 7 Signature Algorithms in the extension: {SHA256,RSA},{SHA384,RSA},{SHA1,RSA},{SHA256,ECDSA},{SHA384,ECDSA},{SHA1,ECDSA},{SHA1,DSA}.

Thanks and looking forward to your response.

Jim Heit

James Heit  |  Principal Engineer  |  OSD Networking

Unisys  |  2470 Highcrest Road, Roseville, MN, USA |  1-651-635-7739 |  Net2 524-7739

[cid:image001.gif at 01CCBE58.04833950]

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20111219/d98a127c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2511 bytes
Desc: image001.gif
URL: </pipermail/attachments/20111219/d98a127c/attachment.gif>

More information about the Gnutls-devel mailing list