TLS 1.2 Signature Algorithms ClientHello extension
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sat Dec 24 11:11:00 CET 2011
On Mon, Dec 19, 2011 at 10:19 PM, Heit, James R <James.Heit at unisys.com>wrote:
> Hello,****
>
> I have been working on the implementation of the TLS 1.2 protocol. TLS
> 1.2 requires servers to handle the Signature Algorithms extension to the
> ClientHello handshake message. My reading of RFC 5246 (7.4.1.4.1.)
> indicates that if client presents the extension (it can be omitted) it
> should include all hash/signature algorithm pairs the client is willing to
> process. While running the latest version of FileZilla, which uses GnuTLS
> 2.10.4, the only proposed Signature Algorithm is {SHA512,RSA}. If I stick
> with the RFC, the handshake will fail, as my {SHA1,RSA} signed certificate
> is not in the list.****
>
> I’m not saying Microsoft is always right (in this case I think they are),
> but IE8/Win7 sends 7 Signature Algorithms in the extension:
> {SHA256,RSA},{SHA384,RSA},{SHA1,RSA},{SHA256,ECDSA},{SHA384,ECDSA},{SHA1,ECDSA},{SHA1,DSA}.
>
Hello,
This is a configuration issue. Filezilla for some reason unknown to me
only enables 256-bit ciphersuites and signature algorithms. If you use
gnutls-cli with your server you'll see that gnutls sends all options.
regards,
Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20111224/0152d0a9/attachment.htm>
More information about the Gnutls-devel
mailing list