tls-server: Consider supported signature algorithms when selecting key/certificate
authorPascal Knecht <pascal.knecht@hsr.ch>
Mon, 12 Oct 2020 16:58:53 +0000 (18:58 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
commit9803fb82f448c7eae03aa4505b0f24a26a8f1948
treeb31fdbcd31dc2a71715ef824028cd866fede7317
parent06112f3fe26413585c832b50e36b7d91d0e96f6e
tls-server: Consider supported signature algorithms when selecting key/certificate

This won't work if the client doesn't send a `signature_algorithms`
extension.  But since the default is SHA1/RSA, most will send it to at
least announce stronger hash algorithms if not ECDSA.
src/libtls/tls_crypto.c
src/libtls/tls_crypto.h
src/libtls/tls_server.c