On Mon, Mar 16, 2015, Jacques FLORENCE wrote: > Hello, > I am developing a simple client/server application with openSSL. > > Using wireshark, I can see in the Client Hello message that there is an > extension signature_algorithms, in which are fields Signature Hash > Algorithms. > I can see a lot of supported algorithms, such as RSA, DSA, ECDSA in the > fields *Signature Hash Algorithm Signature* ,and SHA1, SHA256, MD5, > ... for *Signature > Hash Algorithm Hash*. > > The same behavior happens in the Server Key Exchange message. > My question is: how can I restrict this list of algorithms to use only one? > Note that I am already using the function set_cipher_list(), and as a > consequence, the field *Cipher Suites* in those messages only contains the > suite I want to use. So I don't know what is the API function to use > instead of ssl_ctx_set_cipher_list(). > > I didn't find anything in the documentation. > You need OpenSSL 1.0.2 to set a custom supported signature algorithms extension. You can use the macro SSL_CTX_set1_sigalgs_list(ctx, sigstring) where "sigstring" has the format of SignatureAlgorithms documented at: https://www.openssl.org/docs/ssl/SSL_CONF_cmd.html For example SSL_CTX_set1_sigalgs_list(ctx, "RSA+SHA256"); For the signature algorithm associated with client authentication you use SSL_CTX_set1_client_sigalgs_list instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
