Can Server send sha256 cert when client asks for sha384? [closed]

Question

Closed. This question is not about programming or software development. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 3 months ago.

Improve this question

I have a server using openssl and I sent a connect request using openssl as:

openssl s_client -4 -connect www.google.com:443 -sigalgs rsa_pss_rsae_sha384 -tls1_2

I expected the connection to fail with cipher mismatch error, but instead the server chooses a SHA384 cipher and then sends a cert with RSA2K key signed using SHA256 algorithm. Why is the server/client not rejecting the connection? Are SHA384 and SHA256 inter-usable?

Certificate chain
 0 s:CN = www.google.com, O = Example Inc., OU = Example Inc.
   i:C = IN, L = ben, ST = kar, O = pqr, OU = pqs, CN = "rsa2k (t) "
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 26 14:26:13 2025 GMT; NotAfter: Sep  9 05:32:04 2025 GMT
 1 s:C = IN, L = ben, ST = kar, O = pqr, OU = pqs, CN = "rsa2k (t) "
   i:C = IN, ST = kar, L = ben, O = pqr, OU = pqs, CN = rsa2k
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 26 05:32:04 2025 GMT; NotAfter: Sep  9 05:32:04 2025 GMT
 2 s:C = IN, ST = kar, L = ben, O = pqr, OU = pqs, CN = rsa2k
   i:O = example.com, CN = Example Root CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 19 07:17:41 2025 GMT; NotAfter: Jan  4 07:17:41 2053 GMT
-------------------------skip-------------------------
Peer signing digest: SHA384
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3908 bytes and written 285 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Steffen Ullrich · Accepted Answer · 2025-08-29 20:18:49Z

1

Are SHA384 and SHA256 inter-usable?

SHA384 can not simply be used instead of SHA256.

Can Server send sha256 cert when client asks for sha384?

The server obviously "can" do this as you've observed. The question is more if

the server is supposed to send a certificate which does not match the signature algorithms requested by the client
the client is supposed to accept a certificate which does not match the signature algorithms it requested

The RFC for TLS 1.2 (which you use here) clearly says about this in section 7.4.2:

If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension.

So, it looks like server implementations are sloppy implementing this MUST requirement. Instead they probably hope that the client will just abandon the handshake if it does not like the certificate.

answered Aug 29 at 20:18

Steffen Ullrich

125k11 gold badges155 silver badges194 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

user207421 Aug 30 at 1:21

Well, it looks like OpenSSL implementations are doing that.

Collectives™ on Stack Overflow

Can Server send sha256 cert when client asks for sha384? [closed]

1 Answer 1

1 Comment

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

1 Comment

Related