Hi. Visit https://www.ssllabs.com/ssltest/viewMyClient.html and check
out "Protocol Details -> Signature algorithms". I expect you'll find
that your browser doesn't offer SHA512/RSA.
Judging from a recent discussion on the IETF TLS list [1], there seems
to be some confusion over whether the TLS signature_algorithms extension
should 1) restrict the permitted certificate signature algorithms and
the non-certificate uses of digital signatures in the TLS protocol or 2)
only restrict the non-certificate uses of digital signatures in the TLS
protocol.
Those taking view 2 don't offer SHA512/RSA because no cipher suites
require it. I've concluded that, sadly, certs signed with SHA512/RSA
basically don't work for TLS.
[1] http://www.ietf.org/mail-archive/web/tls/current/msg13606.html
On 02/10/14 07:00, mayak wrote:
> hi all,
>
> indeed -- i generated a new set of certs and tested:
>
> a signature of sha256 results in TLSv* begin offered
> a signature of sha512 results in TLSv* _not_ being offered
> certs with 4096 bit keys work fine
>
> i suspect that there is a variable that is not long enough to support
> the signature ...
>
> thanks!
>
> m
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx