Thanks for the response, I'm not sure what you're saying here other than TLS 1.2 client cert auth processing is different from TLS x (where x<1.2); I would assume that the range of mechanisms would expand to include more robust algorithms as time goes on. However, here something is breaking backward compatibility with a client certificate that is still valid and otherwise correct as far as I can tell. Our (many) deployed clients support TLSv1.2 and this certificate is widely distributed - we are trying to upgrade the server side from TLSv1 to TLSv1.2 and this appears to be a blocker. Any recommendations? I'm still not clear what it is about this certificate that fails in TLSv1.2; I would define a server callback for the certificate verification (I might experiment with that anyway) but it's not clear to me that it would call the callback if the signature is failing. N. ________________________________________ From: openssl-users [openssl-users-bounces@xxxxxxxxxxx] on behalf of Dr. Stephen Henson [steve@xxxxxxxxxxx] Sent: February 26, 2016 3:06 PM To: openssl-users at openssl.org Subject: Re: [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad signature On Fri, Feb 26, 2016, Nounou Dadoun wrote: > I've extracted the certificates from the exchange to verify that the (tlsv1) successful handshake and the (tlsv1.2) failed handshake certificates are identical (they are) and I've also checked to make sure that the CA certificate that the server has for signature verification is the same as the CA certificate handed over by the client in the exchange (it is). > > I've also used the command line openssl verify to verify the certificate against the CA: > "client_cert_success.pem: OK" > > However it succeeds in TLSv1 and fails in TLSv1.2 (the one line change noted below). > > I've now attached the certificates for quick reference - can anyone see what might be causing the different behavior between TLSv1 and TLSv1.2? > The signature TLS uses for Client auth is different in TLS 1.2. For TLS < 1.2 the TLS signature is a combined MD5+SHA1 form for RSA. For TLS 1.2 it is the more standard DigestInfo signature which can use other algorithms such as SHA512 or SHA256. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users