pyopenssl icon indicating copy to clipboard operation
pyopenssl copied to clipboard

Published 20 hours ago verified publisher icon pyca

Add binding for SSL_CTX_set1_sigalgs_list

Open Jean-Daniel opened this issue 6 years ago • 3 comments

OpenSSL.Context should expose a function to let client set signature algorithms (using SSL_CTX_set1_sigalgs_list which is already exposed by cryptography and available in pyOpenSSL).

This is required to force the server certificate choice (to RSA or ECDSA) when using TLS 1.3 as certificate type is no longer specified in the cipher name.

While forcing the certificate type is not useful for simple connection, this is a critical feature to be able to write tools to check the server SSL configuration.

My own use case is to be able to verify that an automatic certificate deployment script properly configure both RSA and ECDSA certificate on the server. As the server returns only the preferred certificate, having a way to force it is a requirement.

Jean-Daniel avatar Jul 03 '19 09:07 Jean-Daniel

SSL_CTX_set1_sigalgs_list is already bound (in cryptography, which pyOpenSSL uses), so you can submit a PR that adds a function calling it in pyOpenSSL without any additional work.

reaperhulk avatar Jul 03 '19 14:07 reaperhulk

PR #851

Jean-Daniel avatar Jul 08 '19 14:07 Jean-Daniel

Unfortunately, the binding was remove from cryptography…

https://github.com/pyca/cryptography/pull/6473

Jean-Daniel avatar Jun 15 '22 13:06 Jean-Daniel