On 1 July 2016 at 16:40, Hanno B?ck <hanno at hboeck.de> wrote: > Hi, > > On Fri, 1 Jul 2016 15:29:53 +0200 > "pepone.onrez" <pepone.onrez at gmail.com> wrote: > >> After upgrade my software to use OpenSSL-1.1 one of the test is >> failing, the test in question client and server are configured to use >> DSA certificates. The server is configured to request a client >> certificate. > > I can't answer your question, but I have one to you: Why do you use DSA? > > There was a discussion in the TLS working group a while ago about DSA > support and there was overwhelming support to remove it in TLS 1.3. > The rationale was basically that DSA in TLS is rarely used at all, is > often used with insecure key sizes (1024 bit) and has a severe weakness > when it comes to bad random numbers. On top of that it has basically no > advantage over the much more widely used RSA. The original reason > (in the early 90s) to use DSA over RSA were patent issues, but those are > long expired. > > So my (and I think most others) impression is that DSA in TLS is as > dead as it can be and probably the most sane move for OpenSSL would be > to just remove it. Given that I'd like to know why you seem to have > chosen to still use DSA. That is part of a large test suite for a library, just trying to ensure that everithg still works with OpenSSL 1.1.0 > > -- > Hanno B?ck > https://hboeck.de/ > > mail/jabber: hanno at hboeck.de > GPG: BBB51E42 > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
