[erlang-questions] TLS: signature algorithms extension

Andreas Schultz <>
Tue Feb 16 08:55:11 CET 2016


Hi,

----- Original Message -----
> From: "Roger Lipscombe" <>
> To: 
> Sent: Monday, February 15, 2016 5:45:20 PM
> Subject: [erlang-questions] TLS: signature algorithms extension

> Does Erlang support the signature algorithms extension in TLS 1.2
> (https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)?

Yes, and it does announce (as client) all the hash and signature
algorithms that it supports.

> Specifically, I've got two classes of client, one of which expects a
> SHA1-signed certificate, and one of which expects a SHA256-signed
> certificate.
> 
> It appears that 'certfile' can only be specified once, and -- in
> testing -- it appears that the file can contain only one server
> certificate.
> 
> Can we use Erlang SSL (via ranch, if it matters) to serve a different
> certificate based on the signature algorithms extension sent by the
> client (or, if absent, a default)?

The certificate to use is initialized before the handshake. So there
is no support for selecting different certificates from a list of
candidates.

Andreas


More information about the erlang-questions mailing list