On Fri, Aug 26, 2022 at 01:28:21PM -0700, radiatejava wrote:
> >> and then the same ECDSA key verified by the CA to sign a hash over the transcript of the handshake itself
>
> Which part of the TLS handshake you are talking about? Are you talking
> about the three messages from the client to server messages that are -
> ClientKeyExchange, ChangeCipherSpec, ClientFinished? In my
> understanding, ClientKeyExchange, ChangeCipherSpec are not encrypted
> and the last one ClientFinished is encrypted but using the keys
> derived from ECDHE key exchange algorithm. Is that not right?
Other than with TLS 1.0--1.2 anon-DHE and anon-ECDHE ciphersuites, the
server key exchange message parameters are signed with the server's
public key. If a client certificate is solicited, the client's
ClientVerify message is signed with the client's public key.
I am not aware of any anon-DHE or anon-ECDHE ciphers for TLS 1.3. I'd
advocate for these to be added (for unauthenticated opportunistic TLS),
if I did not suspect that there would be little support for them at
present.
--
Viktor.
