diff options
-rw-r--r-- | lib/ext/signature.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 96b97cef94..f7bec7c4f5 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -272,6 +272,7 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; unsigned int cert_algo; + gnutls_sign_algorithm_t saved_sigalgo = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_SIGN_UNKNOWN); @@ -301,7 +302,10 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, priv->sign_algorithms[i]) < 0) continue; - if (!client_cert && _gnutls_session_sign_algo_enabled + if (client_cert && !saved_sigalgo) + saved_sigalgo = priv->sign_algorithms[i]; + + if (_gnutls_session_sign_algo_enabled (session, priv->sign_algorithms[i]) < 0) continue; @@ -309,6 +313,12 @@ _gnutls_session_get_sign_algo(gnutls_session_t session, } } + /* When having a legacy client certificate which can only be signed + * using algorithms we don't always enable by default (e.g., DSA-SHA1), + * continue and sign with it. */ + if (client_cert && saved_sigalgo) + return saved_sigalgo; + fail: return GNUTLS_SIGN_UNKNOWN; } |