Bug 1681178 - openssl server application should not negotiate TLS 1.3 if the private key from PKCS#11 does not support RSA-PSS nor raw-RSA
Summary: openssl server application should not negotiate TLS 1.3 if the private key fr...
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl
Version: 8.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Sahana Prasad
QA Contact: BaseOS QE Security Team
Alexandra Nikandrova
Depends On: 1701233
TreeView+ depends on / blocked
Reported: 2019-02-25 16:06 UTC by Jakub Jelen
Modified: 2020-08-10 12:06 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.The `OpenSSL TLS` library does not detect if the `PKCS#11` token supports creation of `raw RSA` or `RSA-PSS` signatures The `TLS-1.3` protocol requires the support for `RSA-PSS` signature. If the `PKCS#11` token does not support `raw RSA` or `RSA-PSS` signatures, the server applications which use `OpenSSL` `TLS` library will fail to work with the `RSA` key if it is held by the `PKCS#11` token. As a result, `TLS` communication will fail. To work around this problem, configure server or client to use the `TLS-1.2` version as the highest `TLS` protocol version available.
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:
anikandr: needinfo+

Attachments (Terms of Use)

Comment 2 Tomas Mraz 2019-02-26 08:43:08 UTC
I'd say this is mostly cosmetic issue. On the server side you can easily workaround it by setting the supported maximum protocol version to TLS-1.2. We should probably document it.

Note You need to log in before you can comment on or make changes to this bug.