-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

altan@aol.com wrote:
| (sorry that previous one looked so terrible. Here it is with plain text)
|
| Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at
| the same time? For example, if a client device has both 1024-bit and
| 2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick
| whether 1024 or 2048-bit RSA should be used?

The client certificate has no influence on the selected ciphers.
It is only used for client authentication.

The server certificate (and with that the server key) have influence
on the used ciphers in a session.

And while an SSL_CTX can have more than one cert/key pair,
you can only set one cert/key for every key type
(one RSA key/cert, one EC key/cert, ...)

It might be possible to twist the TLS hostname extension to
select between a 2048 and a 1024 cert/key, but that would
be something client and server would have to cooperate on...


Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIogNv2iGqZUF3qPYRAjw3AJsGvI1rp+6Da4yNf0TGPg h+v+GwZACfdl5w
/tbqtRMB3ovEpRvSkzV9rts=
=1wHC
-----END PGP SIGNATURE-----
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org