Bug 1411238 - openssl switches to (SHA1, RSA) if no usable signature algorithm is specified
Summary: openssl switches to (SHA1, RSA) if no usable signature algorithm is specified
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Stefan Dordevic
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-09 08:48 UTC by Stanislav Zidek
Modified: 2017-08-01 18:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 18:16:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1410573 0 unspecified CLOSED RFC violation in handling signature algorithms extensions (fix by rebase to 3.28.x) 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2017:1929 0 normal SHIPPED_LIVE openssl bug fix and enhancement update 2017-08-01 18:08:01 UTC

Internal Links: 1410573

Description Stanislav Zidek 2017-01-09 08:48:42 UTC
Description of problem:
If client sends only (MD5, RSA) in signature algorithms in ClientHello (or any other combination not supported by the server), it uses (SHA1, RSA) by default. This violates RFC 5246 (see bz1410573 for further details).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. start s_server
2. send ClientHello containing only (MD5, RSA) signature algorithm
3. look at signature algorithm used in ServerKeyExchange

Actual results:
(SHA1, RSA) is used

Expected results:
Connection is aborted.

Additional info:
This is already fixed in openssl-1.0.2j-1.fc24

Comment 2 Tomas Mraz 2017-04-03 14:34:41 UTC

*** This bug has been marked as a duplicate of bug 1276310 ***

Comment 6 errata-xmlrpc 2017-08-01 18:16:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.