git.ipfire.org Git - thirdparty/openssl.git/commit

]> git.ipfire.org Git - thirdparty/openssl.git/commit

projects / thirdparty / openssl.git / commit

author	Viktor Dukhovni <openssl-users@dukhovni.org>
	Wed, 26 Mar 2025 10:36:08 +0000 (21:36 +1100)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 31 Mar 2025 12:07:56 +0000 (14:07 +0200)
commit	a5f98e6da521934455898d49c8b2152a60b46925
tree	4c470ac5cbba5c82e712e84b51dd04a013d884c6	tree
parent	ea77608920e88812a5278be351e3ebbfdb81d992	commit \| diff

Fix sigalg corner cases

- Tolerate RSA PKCS#1 *certificate* signatures when
  the peer sigals include RSA PSS with the same digest.

  Now that we're more strict about not sending sigalgs that are out of
  protocol range, when the client supports TLS 1.3 only, we might refuse
  to return an RSA PKCS#1-signed cert.

- Don't send TLS 1.3 sigalgs when requesting client certs from
  a TLS 1.2 client.

Fixes: #1144
Fixes: #25277
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27166)

ssl/ssl_local.h		diff \| blob \| blame \| history
ssl/statem/extensions_clnt.c		diff \| blob \| blame \| history
ssl/t1_lib.c		diff \| blob \| blame \| history
test/certs/p256-ee-rsa-ca-cert.pem	[new file with mode: 0644]	blob
test/certs/p256-ee-rsa-ca-key.pem	[new file with mode: 0644]	blob
test/certs/setup.sh		diff \| blob \| blame \| history
test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt		diff \| blob \| blame \| history
test/recipes/75-test_quicapi_data/ssltraceref.txt		diff \| blob \| blame \| history
test/recipes/95-test_external_tlsfuzzer_data/cert.json.in		diff \| blob \| blame \| history
test/sslapitest.c		diff \| blob \| blame \| history

Mirror of https://github.com/openssl/openssl.git

RSS Atom