Instead of using a hardcoded value for signature_algothms, go with

policy. Only functional change here from before is we now send DSA
with SHA-2. This is fine, OpenSSL does it as well and while the spec
says to wait until NIST comes up with a way to prevent hash
impersonation, it doesn't really make sense to avoid possible hash
substitution attacks by using the weakest available hash...

1 files changed, 0 insertions, 15 deletions

diff --git a/src/tls/tls_extensions.cpp b/src/tls/tls_extensions.cpp
index 41977f975..4fbcdbad1 100644
--- a/src/tls/tls_extensions.cpp
+++ b/src/tls/tls_extensions.cpp
@@ -365,21 +365,6 @@ MemoryVector<byte> Signature_Algorithms::serialize() const
    return buf;
    }
 
-Signature_Algorithms::Signature_Algorithms()
-   {
-   /*
-   Declare we support everything except MD5 for RSA, and SHA-1 with DSA.
-   We prefer hashes strongest (SHA-512) to weakest (SHA-1).
-   */
-
-   m_supported_algos.push_back(std::make_pair("SHA-512", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-384", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-256", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-224", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-1", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-1", "DSA"));
-   }
-
 Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader,
                                            u16bit extension_size)
    {