[erlang-questions] TLS: signature algorithms extension

Ingela Andin <>
Tue Feb 16 10:20:54 CET 2016


Hi!

I confirm what Andreas is saying. Of course it would be an interesting
functionality to add more possibilities for the server to choose
certificates, as for the sni option there is one such possibility.

Regards Ingela Erlang/OTP team - Ericsson AB


2016-02-16 8:55 GMT+01:00 Andreas Schultz <>:

> Hi,
>
> ----- Original Message -----
> > From: "Roger Lipscombe" <>
> > To: 
> > Sent: Monday, February 15, 2016 5:45:20 PM
> > Subject: [erlang-questions] TLS: signature algorithms extension
>
> > Does Erlang support the signature algorithms extension in TLS 1.2
> > (https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)?
>
> Yes, and it does announce (as client) all the hash and signature
> algorithms that it supports.
>
> > Specifically, I've got two classes of client, one of which expects a
> > SHA1-signed certificate, and one of which expects a SHA256-signed
> > certificate.
> >
> > It appears that 'certfile' can only be specified once, and -- in
> > testing -- it appears that the file can contain only one server
> > certificate.
> >
> > Can we use Erlang SSL (via ranch, if it matters) to serve a different
> > certificate based on the signature algorithms extension sent by the
> > client (or, if absent, a default)?
>
> The certificate to use is initialized before the handshake. So there
> is no support for selecting different certificates from a list of
> candidates.
>
> Andreas
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160216/268db3a6/attachment.html>


More information about the erlang-questions mailing list