From d7dcfb26c0b044015ac9acd688b4f7e2b57e00ea Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 28 Jun 2016 18:50:09 +0200
Subject: ssl: Correct handling of signature algorithm selection

In TLS-1.2 the selection of the servers algorithms and the the
possible selection of algorithms for the client certificate verify
message have different requirements.
---
 lib/ssl/src/ssl_connection.erl | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'lib/ssl/src/ssl_connection.erl')

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 53282998d0..adee59393e 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -528,13 +528,12 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},
 	    end
     end;
 
-certify(internal, #certificate_request{hashsign_algorithms = HashSigns},
+certify(internal, #certificate_request{} = CertRequest,
 	#state{session = #session{own_certificate = Cert},
-	       key_algorithm = KeyExAlg,
+	       role = client,
 	       ssl_options = #ssl_options{signature_algs = SupportedHashSigns},
 	       negotiated_version = Version} = State0, Connection) ->
-
-    case ssl_handshake:select_hashsign(HashSigns, Cert, KeyExAlg, SupportedHashSigns, Version) of
+    case ssl_handshake:select_hashsign(CertRequest, Cert, SupportedHashSigns, Version) of
 	#alert {} = Alert ->
 	    Connection:handle_own_alert(Alert, Version, certify, State0);
 	NegotiatedHashSign -> 
-- 
cgit v1.2.3