diff options
| author |   jsing <jsing@openbsd.org> | 2018-11-19 14:42:01 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2018-11-19 14:42:01 +0000 |
| commit | 0e2b24c4ae669764716dd5627a477daaf0895a8f (patch) | |
| tree | 0b5719c2471eb2d7fee024f05da07b716ee38233 /lib/libssl/ssl_cert.c | |
| parent | evbuffer_new and bufferevent_new can both fail (when malloc fails) and (diff) | |
| download | wireguard-openbsd-0e2b24c4ae669764716dd5627a477daaf0895a8f.tar.xz wireguard-openbsd-0e2b24c4ae669764716dd5627a477daaf0895a8f.zip | |
Revert previous - the default sigalg for RSA key exchange is {sha1,rsa}.
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
Diffstat (limited to 'lib/libssl/ssl_cert.c')
| -rw-r--r-- | lib/libssl/ssl_cert.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index e78335c5bbb..313ff3ae5ca 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.71 2018/11/16 02:41:16 beck Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -161,11 +161,11 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void) static void ssl_cert_set_default_sigalgs(CERT *cert) { - /* Set digest values to legacy defaults */ + /* Set digest values to defaults */ cert->pkeys[SSL_PKEY_RSA_SIGN].sigalg = - ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); + ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); cert->pkeys[SSL_PKEY_RSA_ENC].sigalg = - ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); + ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); cert->pkeys[SSL_PKEY_ECC].sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); #ifndef OPENSSL_NO_GOST |