[Pkg-openssl-devel] Bug#934453: Bug#934453: curl: SSL routines:tls12_check_peer_sigalg:wrong signature type

[Kurt Roeckx]

On Mon, Aug 12, 2019 at 10:04:11PM +0200, Sebastian Andrzej Siewior wrote:
> On 2019-08-12 18:22:38 [+0200], Kurt Roeckx wrote:
> > On Mon, Aug 12, 2019 at 10:42:06AM +0200, Johannes Schauer wrote:
> > > > >     curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
> > > 
> > > thanks to juliank on #debian-devel I found out that this issue seems to be a
> > > duplicate of #912759?
> > > 
> > > If so, what should I write to the server admins of daserste.de? I'm not quite
> > > knowledgable about the topic and with the Qualys SSL Labs Server test reporting
> > > an A+ for the server, I don't know what argument to make that they are wrong.
> > 
> > Yes, this is a duplicate of #912759. Their software is buggy, most
> > likely not supported. They should probably talk to their vendor to
> > get an update.
> 
> | $  host www.daserste.de
> | www.daserste.de is an alias for sni.daserste.c.footprint.net.
> | sni.daserste.c.footprint.net has address 8.248.125.252
> | sni.daserste.c.footprint.net has address 67.26.137.252
> | sni.daserste.c.footprint.net has address 8.248.129.252
> 
> ach level3 CDN, lovely. So the problem is to find someone who
> understands the problem. This goes for the people behind daserste.de
> and those behind the CDN.
> 
> Kurt, could we get something into OpenSSL (aka openssl s_client
> -connect) which describes the error more accurate / verbose?
> I will try to collect some information and point the ssllabs people to
> it hoping that it will pop up in the server rating…

The error is very clear to me. The server picked a signature
algorithm that the client didn't offer. Should I try to contact
level 3?


Kurt