Message390618
With OpenSSL 3.0.0-alpha14 several tests for TLS 1.0 and 1.1 connections are failing handshake with "[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error". OpenSSL is configured with default security level "1". Tests are only passing with @SECLEVEL=0.
I think the security default callback refuses NID_sha1 and NID_sha1_md5 SSL_SECOP_SIGALG_SUPPORTED because their security bits are lower than minimum of 80 bits.
ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=67, nid=114, other=0x7fffe8ab194a, ex=0x0) at ssl/ssl_cert.c:969
ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=64, nid=64, other=0x7fffe8ab188a, ex=0x0) at ssl/ssl_cert.c:969
#0 tls_choose_sigalg (s=0x7fffdc001840, fatalerrs=1) at ssl/t1_lib.c:3307
#1 0x00007fffe9cb00f4 in tls_post_process_client_hello (s=0x7fffdc001840, wst=WORK_MORE_B) at ssl/statem/statem_srvr.c:2223
#2 0x00007fffe9cad560 in ossl_statem_server_post_process_message (s=0x7fffdc001840, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1236
#3 0x00007fffe9c97e3d in read_state_machine (s=0x7fffdc001840) at ssl/statem/statem.c:670
#4 0x00007fffe9c97723 in state_machine (s=0x7fffdc001840, server=1) at ssl/statem/statem.c:442
#5 0x00007fffe9c971db in ossl_statem_accept (s=0x7fffdc001840) at ssl/statem/statem.c:270
#6 0x00007fffe9c5f5ac in SSL_do_handshake (s=0x7fffdc001840) at ssl/ssl_lib.c:3852
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0;
} |
|
Date |
User |
Action |
Args |
2021-04-09 13:08:57 | christian.heimes | set | recipients:
+ christian.heimes |
2021-04-09 13:08:57 | christian.heimes | set | messageid: <1617973737.23.0.132771876709.issue43791@roundup.psfhosted.org> |
2021-04-09 13:08:57 | christian.heimes | link | issue43791 messages |
2021-04-09 13:08:56 | christian.heimes | create | |
|