Certificate selection
The ordered signature algorithm certificate list is sent to the peer when System SSL/TLS requests a certificate during the handshake. The peer uses the received list to guide the certificate selection process.
The peer should select a certificate that conforms to the list, however, that is not true for all implementations and configurations. System SSL/TLS treats a received certificate with an undesired signature algorithm as a session error unless optional client authentication is configured. When System SSL/TLS receives a client certificate request and is unable to select a conforming certificate, its behavior depends on the TLS protocol version. TLSv1.3 does not send a client certificate. TLSv1.2 sends an available nonconforming RSA or ECDSA certificate. The peer determines whether this certificate results in a session error. For more information about System SSL/TLS certificate selection logic, see Multiple certificate selection.
- ECDSA_SHA512
- ECDSA_SHA384
- ECDSA_SHA256
- ECDSA_SHA224
- ECDSA_SHA1
- RSA_PSS_SHA512
- RSA_PSS_SHA384
- RSA_PSS_SHA256
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1
- RSA_MD5
Enabled certificate signature algorithms
The System Service Tools (SST) Advanced Analysis command SSLCONFIG identifies the signature algorithms that are enabled for use in certificates on the system. Applications can negotiate secure sessions only with certificates that use the signature algorithms that are listed for SSLCONFIG option supportedSignatureAlgorithmCertificateList.
To determine the current value of the enabled signature algorithm certificate list on the system, use SSLCONFIG option display or the Retrieve TLS Attributes (QsoRtvTLSA) API. If the enabled signature algorithm certificate list must be changed on the system, use SSLCONFIG option supportedSignatureAlgorithmCertificateList to change the value. SSLCONFIG option h displays the help text that describes how to set the signature algorithm certificate list. Only signature algorithm values that are listed in the help text can be added to the list.
SSLCONFIG -supportedSignatureAlgorithmCertificateList:36,35,34,16,15,14
- ECDSA_SHA512
- ECDSA_SHA384
- ECDSA_SHA256
- ECDSA_SHA224
- ECDSA_SHA1
- RSA_PSS_SHA512
- RSA_PSS_SHA384
- RSA_PSS_SHA256
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1
- RSA_MD5
Default certificate signature algorithms
When an application does not specify a signature algorithm certificate list, the System SSL/TLS default signature algorithm certificate list is used. Applications use this design to pick up new TLS support without requiring application code changes. The default signature algorithm certificate list has no meaning for applications that explicitly specify the signature algorithm certificate list for the application.
The default signature algorithm certificate list on a system is the intersection of the enabled signature algorithm certificate list and the eligible default signature algorithm certificate list. The eligible default signature algorithm certificate list is configured by using SSLCONFIG option defaultSignatureAlgorithmCertificateList.
To determine the current value of the eligible default signature algorithm certificate list on the system, use SSLCONFIG option display or the Retrieve TLS Attributes (QsoRtvTLSA) API.
Consider changing the default signature algorithm certificate settings only when no other configuration setting allows an application to interoperate with peers successfully. It is preferred to enable an older signature algorithm for only the specific application that requires it. When the application has an “application definition,” this enablement is accomplished through the Digital Certificate Manager (DCM).
If the default signature algorithm certificate list must be changed on the system, use SSLCONFIG option defaultSignatureAlgorithmCertificateList to change the value. SSLCONFIG option h displays the help text that describes how to set the signature algorithm certificate list. Only signature algorithm versions that are listed in the help text can be added to the list.
SSLCONFIG -defaultSignatureAlgorithmCertificateList:36,35,34
- ECDSA_SHA512
- ECDSA_SHA384
- ECDSA_SHA256
- ECDSA_SHA224
- ECDSA_SHA1
- RSA_PSS_SHA512
- RSA_PSS_SHA384
- RSA_PSS_SHA256
- RSA_SHA512
- RSA_SHA384
- RSA_SHA256
- RSA_SHA224
- RSA_SHA1