Why does TestSSL report FS signature algorithm RSA+SHA1, when server does not support it according to OpenSSL?
Closed this issue · 1 comments
Which version are you referring to
#####################################################################
testssl.sh version 3.3dev from https://testssl.sh/dev/
(b366d30 2025-08-18 17:10:55)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on DKB000005QTD064:./bin/openssl.Linux.x86_64
built: Fri Mar 28 16:54:51 2025, platform: linux-x86_64
Using bash 5.2.21
TestSSL command
$ ./testssl.sh --fs --ip one <host>:443
Output
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
FS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
Elliptic curves offered: prime256v1 X25519
TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 RSA+SHA1
TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
As shown, TestSSL shows support for RSA+SHA1 sig_alg.
OpenSSL command
$ openssl s_client -connect <host>:443 -tls1_2 -sigalgs RSA+SHA1 -msg -debug
Output
CONNECTED(00000003)
>>> TLS 1.0, RecordHeader [length 0005]
15 03 01 00 02
write to 0x6502e05df940 [0x6502e06cb820] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 50 ......P
>>> TLS 1.2, Alert [length 0002], fatal internal_error
02 50
40D717273E700000:error:0A0000B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:../ssl/statem/statem_clnt.c:3746:No ciphers enabled for max supported SSL/TLS version
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1756812068
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
read from 0x6502e05df940 [0x6502e059b300] (8192 bytes => 0)
As seen, the handshake could not be completed when the client only indicates support for RSA+SHA1 as signature algorithm. Which is right - and how why the difference?
I have looked through TestSSL code but I'm not able to pin down exactly what command is run, but I can see that the supported sig_algs are found by parsing the parse_tls_serverhello.txt file from /tmp/testssl.xyz/ using awk. I have also browsed the other similar questions concerning RSA+SHA1 on the board.
This is a FAQ which is a WIP. You're using a specific version of OpenSSL for testing, maybe with special configuration from the OS vendor which prevents the client from using RSA+SHA1. Testssl.sh uses bash sockets in addition to either the supplied OpenSSL version or the one from the OS . For the latter a special configuration is supplied.
