# Message signature

The list of algorithm pairs restricts which signature and hash algorithms can be used for handshake message digital signatures. A handshake message signature algorithm might be different from the signature algorithm of the certificate that is used for the session.

For instance, the handshake message might be protected by SHA256 even though a SHA1 certificate is selected for the session.

- ECDSA_SHA512
- ECDSA_SHA384
- ECDSA_SHA256
- ECDSA_SHA224
- ECDSA_SHA1
- RSA_PSS_SHA512
- RSA_PSS_SHA384
- RSA_PSS_SHA256
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1
- RSA_MD5

## Enabled signature algorithms

The System Service Tools (SST) Advanced Analysis command TLSCONFIG identifies the signature algorithms for use in handshake messages that are enabled on the system. Applications can negotiate secure sessions with only the signature algorithms that are listed for TLSCONFIG option supportedSignatureAlgorithmList.

To determine the current value of the enabled signature algorithm list on the system, use TLSCONFIG option display or the Retrieve TLS Attributes (QsoRtvTLSA) API.

If the enabled signature algorithm list must be changed on the system, use TLSCONFIG option supportedSignatureAlgorithmList to change the value. TLSCONFIG option h displays the help text that describes how to set the signature algorithm list. Only signature algorithm values that are listed in the help text can be added to the list.

`TLSCONFIG -supportedSignatureAlgorithmList:36,35,34`

- ECDSA_SHA512
- ECDSA_SHA384
- ECDSA_SHA256
- RSA_PSS_SHA512
- RSA_PSS_SHA384
- RSA_PSS_SHA256
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256

## Default signature algorithms

When an application does not specify a signature algorithm list, the System TLS default signature algorithm list is used. Applications use this design to pick up new TLS support without requiring application code changes. The default signature algorithm list has no meaning for applications that explicitly specify the signature algorithm list for the application.

The default signature algorithm list on a system is the intersection of the enabled signature algorithm list and the eligible default signature algorithm list. The eligible default signature algorithm list is configured by using TLSCONFIG option defaultSignatureAlgorithmList.

To determine the current value of the eligible default signature algorithm list on the system, use TLSCONFIG option display or the Retrieve TLS Attributes (QsoRtvTLSA) API.

Consider changing the default signature algorithm settings only when no other configuration setting allows an application to interoperate with peers successfully. It is preferred to enable an older signature algorithm for only the specific application that requires it. When the application has an “application definition,” then this enablement is accomplished through the Digital Certificate Manager (DCM).

If the default signature algorithm list must be changed on the system, use TLSCONFIG option defaultSignatureAlgorithmList to change the value. TLSCONFIG option h displays the help text that describes how to set the signature algorithm list. Only signature algorithm values that are listed in the help text can be added to the list.

`TLSCONFIG -signatureAlgorithmList:36,35,34`

- ECDSA_SHA512
- ECDSA_SHA384
- ECDSA_SHA256
- RSA_PSS_SHA512
- RSA_PSS_SHA384
- RSA_PSS_SHA256
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256