On 15/08/2023 19:47, Ma Zhenhua wrote:
Hi Team,
I know that both key exchange and authenticate methods of
AES256-GCM-SHA384 is RSA, the authentication method of
ECDHE-RSA-CAMELLIA128-SHA256 is RSA.
I'm using 1_1_1_stable branch and would like to figure out which RSA key
exchange or/and RSA signature algorithm 1_1_1_stable is using
for ciphers AES256-GCM-SHA384 and ECDHE-RSA-CAMELLIA128-SHA256. Thanks
in advance.
■RSA Key Exchange
RSA-KEM
RSA-OAEP
RSA-PKCS#1 v1.5
RSA(raw RSA, a raw RSA encryption method that does not perform padding
processing)
■RSA Signature
RSA-PSS
RSA-PKCS#1 v1.5
RSA(raw RSA, a raw RSA encryption method that does not perform padding
processing)
I answered your github discussion on this same topic before I saw your
posting here:
https://github.com/openssl/openssl/discussions/21744
Repeating my answer for the benefit of the rest of openssl-users:
For AES256-GCM-SHA384, RSA key exchange is used. RFC 5264 section
7.4.7.1 says this about it:
The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure
against the Bleichenbacher attack. However, for maximal
compatibility with earlier versions of TLS, this specification uses
the RSAES-PKCS1-v1_5 scheme. No variants of the Bleichenbacher
attack are known to exist provided that the above recommendations are
followed.
In the case of ECDHE-RSA-CAMELLIA128-SHA256, RSA is used for signing
only (not key exchange) and an additional ServerKeyExchange message is
sent containing the signature. The actual signature scheme used is
negotiated separately to the ciphersuite based on the capabilities of
the client and server and could be either RSASSA-PSS or RSASSA-PKCS1-v1_5
Matt