Viktor Dukhovni wrote:
>
> > On Mar 24, 2017, at 1:08 AM, Martin Thomson <martin.thom...@gmail.com>
> > wrote:
> >
> >> I've never seen
> >> a TLS server that has multiple chains to choose from for the same
> >> server identity.
>
[ https://www.cloudflare.com/ ]
>
> Both chains of course use SHA256.
Actually, looking at the DigiCert issued ECC cert for www.cloudflare.com
I'm a little confused.
This is the cert chain (as visualized by Microsoft CryptoAPI):
server-cert: CN=cloudflare.com, ...
contains ECDSA P-256 public key
is allegedly signed with sha256ECDSA
intermediate CA: CN=DigiCert ECC Extended Validation Server CA
contains ECDSA P-384 public key
is allegedly signed with sha384RSA
root CA: CN=DigiCert High Assurance EV Root CA
contains RSA 2048-bit public key
is self-signed with sha1WithRsaEncryption
For those who insist on reading rfc5246 verbatim, this chain requires
ECDSA+SHA384:RSA+SHA384:RSA+SHA1
The digital signature on the server certificate looks bogus to me,
that should be a sha384ECDSA signature according to NIST, because
it uses a P-384 signing key.
The signature on the intermediate CA is imbalanced, and
should be sha256RSA rather than sha384RSA. (that is only an interop issue,
not a security issue).
-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
