Hi, On Fri, 1 Jul 2016 15:29:53 +0200 "pepone.onrez" <pepone.onrez at gmail.com> wrote: > After upgrade my software to use OpenSSL-1.1 one of the test is > failing, the test in question client and server are configured to use > DSA certificates. The server is configured to request a client > certificate. I can't answer your question, but I have one to you: Why do you use DSA? There was a discussion in the TLS working group a while ago about DSA support and there was overwhelming support to remove it in TLS 1.3. The rationale was basically that DSA in TLS is rarely used at all, is often used with insecure key sizes (1024 bit) and has a severe weakness when it comes to bad random numbers. On top of that it has basically no advantage over the much more widely used RSA. The original reason (in the early 90s) to use DSA over RSA were patent issues, but those are long expired. So my (and I think most others) impression is that DSA in TLS is as dead as it can be and probably the most sane move for OpenSSL would be to just remove it. Given that I'd like to know why you seem to have chosen to still use DSA. -- Hanno B?ck https://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160701/5c5a425c/attachment.sig>
