Hi. Visit https://www.ssllabs.com/ssltest/viewMyClient.html and check
out "Protocol Details -> Signature algorithms". I expect you'll find
that your browser doesn't offer SHA512/RSA.
Judging from a recent discussion on the IETF TLS list [1], there seems
to be some confusion over whether the TLS signature_algorithms extension
should 1) restrict the permitted certificate signature algorithms and
the non-certificate uses of digital signatures in the TLS protocol or 2)
only restrict the non-certificate uses of digital signatures in the TLS
protocol.
Those taking view 2 don't offer SHA512/RSA because no cipher suites
require it. I've concluded that, sadly, certs signed with SHA512/RSA
basically don't work for TLS.
[1] http://www.ietf.org/mail-archive/web/tls/current/msg13606.html
On 02/10/14 07:00, mayak wrote:
hi all,
indeed -- i generated a new set of certs and tested:
a signature of sha256 results in TLSv* begin offered
a signature of sha512 results in TLSv* _not_ being offered
certs with 4096 bit keys work fine
i suspect that there is a variable that is not long enough to support
the signature ...
thanks!
m
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
