Revert previous - the default sigalg for RSA key exchange is {sha1,rsa}.

In TLSv1.2, if the client does not send a signature algorithms extension then for RSA key exchange a signature algorithm of {sha1,rsa} is implied. The MD5+SHA1 hash only applies to older versions of TLS, which do not support sigalgs.
author: jsing <> 2018-11-19 14:42:01 +0000
committer: jsing <> 2018-11-19 14:42:01 +0000
commit: f39fde5c79d475a432ea62e161eedefaee537cea (patch)
tree: ed71c1e0dd68e58af17cb4ec75a79c483f68dc21
parent: e03dc031fa67e7d982aeacfea51fb4615d4783b6 (diff)
download: openbsd-f39fde5c79d475a432ea62e161eedefaee537cea.tar.gz
openbsd-f39fde5c79d475a432ea62e161eedefaee537cea.tar.bz2
openbsd-f39fde5c79d475a432ea62e161eedefaee537cea.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index e78335c5bb..313ff3ae5c 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.71 2018/11/16 02:41:16 beck Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -161,11 +161,11 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void)
 static void
 ssl_cert_set_default_sigalgs(CERT *cert)
 {
-        /* Set digest values to legacy defaults */
+        /* Set digest values to defaults */
        cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg =
-            ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
+            ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
        cert->pkeys[SSL_PKEY_RSA_ENC].sigalg =
-            ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
+            ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
        cert->pkeys[SSL_PKEY_ECC].sigalg =
            ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
 #ifndef OPENSSL_NO_GOST
author	jsing <>	2018-11-19 14:42:01 +0000
committer	jsing <>	2018-11-19 14:42:01 +0000
commit	f39fde5c79d475a432ea62e161eedefaee537cea (patch)
tree	ed71c1e0dd68e58af17cb4ec75a79c483f68dc21
parent	e03dc031fa67e7d982aeacfea51fb4615d4783b6 (diff)
download	openbsd-f39fde5c79d475a432ea62e161eedefaee537cea.tar.gz openbsd-f39fde5c79d475a432ea62e161eedefaee537cea.tar.bz2 openbsd-f39fde5c79d475a432ea62e161eedefaee537cea.zip

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index e78335c5bb..313ff3ae5c 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_cert.c,v 1.71 2018/11/16 02:41:16 beck Exp $ */	1	/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -161,11 +161,11 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void)
161	static void	161	static void
162	ssl_cert_set_default_sigalgs(CERT *cert)	162	ssl_cert_set_default_sigalgs(CERT *cert)
163	{	163	{
164	/* Set digest values to legacy defaults */	164	/* Set digest values to defaults */
165	cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg =	165	cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg =
166	ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);	166	ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
167	cert->pkeys[SSL_PKEY_RSA_ENC].sigalg =	167	cert->pkeys[SSL_PKEY_RSA_ENC].sigalg =
168	ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);	168	ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
169	cert->pkeys[SSL_PKEY_ECC].sigalg =	169	cert->pkeys[SSL_PKEY_ECC].sigalg =
170	ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);	170	ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
171	#ifndef OPENSSL_NO_GOST	171	#ifndef OPENSSL_NO_GOST