Signature Algorithms
The TLSv1.2 protocol made the signature algorithm and the hash algorithm that are used for digital signatures an independent attribute. Previously the negotiated cipher suite determined these algorithms. System SSL has the infrastructure to support multiple signature algorithms.
The ordered list of allowed signature/hash algorithm pairs serves
two purposes in TLSv1.2 and has no meaning for prior protocols:
- Certificate Selection
- The peer certificate selection process picks the best matching certificate from the ordered list received. The list is not used when only one certificate is configured for the peer. Not using the list might result in a certificate with an undesired signature algorithm presented to System SSL. System SSL treats undesired signature algorithm as a session error unless optional client authentication is configured. System SSL applications are limited to one configured certificate. This certificate is always selected regardless of a received ordered list. The certificate requestor determines the validity of this scenario.
- Message Signature
- The list of algorithm pairs restricts which signature and hash algorithms can be used for handshake message digital signatures. A TLSv1.2 handshake message signature can be different from the signature of the certificate that is used for the session. For instance, the handshake message can be protected by SHA512 even though an MD5 certificate is selected for the session.
System SSL has the infrastructure to support the following signature
algorithms:
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1
- RSA_MD5
Shipped SSL Supported Signature Algorithms
System
SSL is shipped with the following list of supported signature algorithms:
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1
- RSA_MD5
Shipped SSL Default Signature Algorithms
The
following displays the order of the shipped default signature algorithm
list:
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1
- RSA_MD5
