Check for weak signature algorithms

[kroeckx]

Some servers use SHA1 based signature algorithms when the client didn't offer them. See for instance https://github.com/openssl/openssl/issues/7126

Can a check be added for such servers, and stop marking them as A+?

[sebastianas]

The key exchange in "forward security" is signed with a hash. The default security level can be set to 2 which then eliminates "short" hashes like SHA1. If a server signs the key exchange with SHA1 (which was not offered by the client due to the security level) then the connection will fail. This is usually a miss configuration / broken software on the server's side.

[Glandos]

Alright, but it happens a lot to website that we can't even name and shame. For example, www.gouvernement.fr or bank sites that really don't care about this, since it works in browsers.

Maybe they should be detected by your (really) popular tool.

[tamthing]

Thanks for bringing this to our notice, we would investigate based on the evidence and see the changes needed.

[Darkspirit]

This can be closed as duplicate of #465.

[sebastianas]

Now that we have a chosen-prefix collision for SHA-1, any chance that we can make this sha1 sigantures, that the client did not ask for, more visible?

[kroeckx]

Or servers that prefer SHA1 over SHA256 when both are offered by the client, which is something Windows servers do.

[rzr]

It looks like this issue is affecting debian 10, let me crosslink to :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934453

I am also able to replicate, if it helps:

$ curl 'https://www.gouvernement.fr'
curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

$ curl -I --ciphers DEFAULT@SECLEVEL=1 'https://www.gouvernement.fr'
HTTP/1.1 200 OK
Date: Wed, 25 Mar 2020 11:21:44 GMT
(...)
Server: nginx

$ curl --version
curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 

$ curl --verbose 'https://www.gouvernement.fr' 2>&1 |  xclip 
* Expire in 0 ms for 6 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 0 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 1 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 2 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 3 ms for 1 (transfer 0x55c327638e80)
* Expire in 3 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 3 ms for 1 (transfer 0x55c327638e80)
* Expire in 3 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 4 ms for 1 (transfer 0x55c327638e80)
* Expire in 8 ms for 1 (transfer 0x55c327638e80)
* Expire in 5 ms for 1 (transfer 0x55c327638e80)
* Expire in 5 ms for 1 (transfer 0x55c327638e80)
* Expire in 8 ms for 1 (transfer 0x55c327638e80)
* Expire in 6 ms for 1 (transfer 0x55c327638e80)
* Expire in 6 ms for 1 (transfer 0x55c327638e80)
* Expire in 7 ms for 1 (transfer 0x55c327638e80)
*   Trying 8.253.93.226...
* TCP_NODELAY set
* Expire in 149988 ms for 3 (transfer 0x55c327638e80)
* Expire in 200 ms for 4 (transfer 0x55c327638e80)
* Connected to www.gouvernement.fr (8.253.93.226) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [104 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3641 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
} [2 bytes data]
* error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

$ openssl s_client -connect www.gouvernement.fr:443 
CONNECTED(00000003)
depth=2 C = FR, O = Dhimyotis, CN = Certigna
verify return:1
depth=1 C = FR, O = DHIMYOTIS, OU = 0002 48146308100036, organizationIdentifier = NTRFR-48146308100036, CN = Certigna Services CA
verify return:1
depth=0 C = FR, L = PARIS SP 07, O = DIR DES SERVICES ADMINIST ET FINANCIERS, OU = 0002 12000103700015, organizationIdentifier = NTRFR-12000103700015, CN = www.gouvernement.fr, serialNumber = S7158001
verify return:1
140175380944000:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1111:
---
Certificate chain
 0 s:C = FR, L = PARIS SP 07, O = DIR DES SERVICES ADMINIST ET FINANCIERS, OU = 0002 12000103700015, organizationIdentifier = NTRFR-12000103700015, CN = www.gouvernement.fr, serialNumber = S7158001
   i:C = FR, O = DHIMYOTIS, OU = 0002 48146308100036, organizationIdentifier = NTRFR-48146308100036, CN = Certigna Services CA
 1 s:C = FR, O = DHIMYOTIS, OU = 0002 48146308100036, organizationIdentifier = NTRFR-48146308100036, CN = Certigna Services CA
   i:C = FR, O = Dhimyotis, CN = Certigna
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIDjCCBfagAwIBAgIQGkBZSDKW+dhPZ2i0rSvPzjANBgkqhkiG9w0BAQsFADB9
MQswCQYDVQQGEwJGUjESMBAGA1UECgwJREhJTVlPVElTMRwwGgYDVQQLDBMwMDAy
IDQ4MTQ2MzA4MTAwMDM2MR0wGwYDVQRhDBROVFJGUi00ODE0NjMwODEwMDAzNjEd
MBsGA1UEAwwUQ2VydGlnbmEgU2VydmljZXMgQ0EwHhcNMTcxMTEwMDgyMTAxWhcN
MjAxMTA5MDgyMTAxWjCBwzELMAkGA1UEBhMCRlIxFDASBgNVBAcMC1BBUklTIFNQ
IDA3MTAwLgYDVQQKDCdESVIgREVTIFNFUlZJQ0VTIEFETUlOSVNUIEVUIEZJTkFO
Q0lFUlMxHDAaBgNVBAsMEzAwMDIgMTIwMDAxMDM3MDAwMTUxHTAbBgNVBGEMFE5U
UkZSLTEyMDAwMTAzNzAwMDE1MRwwGgYDVQQDDBN3d3cuZ291dmVybmVtZW50LmZy
MREwDwYDVQQFEwhTNzE1ODAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANHSJ2iBSggfdj6So8yIFhaXEzRMPViXJJEgJWNkGbFsMLLRU3wpS9WZo5Tr
q+5xkjqkLrkMG9QRrH6SyKeaZlNQkogHLVdQkdsTkiyIuKH2bWIHkbEhJ3tBwlIP
7wB8lRiboK7jg3zEnRWD4vdK5r5zARUa9guAjnO5Hfxf1UhxGzzOxtqGJLDuRKDF
ZxtNo/Uru68/C40bRWCWsCpY2uppqjQYRjfgrHWY8CjKzNEIhtGN1Lge9nRgLfPZ
IhMKBsYsamtEuciWQOpxzt5dP/2PI8w6DTyxZg2A34wEYGRGmbBYTcFKI9OW4mX1
7na4zwr24Ed8cSi3gNlKBk3g6zsCAwEAAaOCA0EwggM9MAkGA1UdEwQCMAAwDgYD
VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMGUGA1UdHwReMFwwK6Ap
oCeGJWh0dHA6Ly9jcmwuY2VydGlnbmEuZnIvc2VydmljZXNjYS5jcmwwLaAroCmG
J2h0dHA6Ly9jcmwuZGhpbXlvdGlzLmNvbS9zZXJ2aWNlc2NhLmNybDCB5AYIKwYB
BQUHAQEEgdcwgdQwNgYIKwYBBQUHMAKGKmh0dHA6Ly9hdXRvcml0ZS5jZXJ0aWdu
YS5mci9zZXJ2aWNlc2NhLmRlcjA4BggrBgEFBQcwAoYsaHR0cDovL2F1dG9yaXRl
LmRoaW15b3Rpcy5jb20vc2VydmljZXNjYS5kZXIwLgYIKwYBBQUHMAGGImh0dHA6
Ly9zZXJ2aWNlc2NhLm9jc3AuY2VydGlnbmEuZnIwMAYIKwYBBQUHMAGGJGh0dHA6
Ly9zZXJ2aWNlc2NhLm9jc3AuZGhpbXlvdGlzLmNvbTAdBgNVHQ4EFgQUBtG2jJHI
Q9rdRc4sa74ch7vLQKIwHwYDVR0jBBgwFoAUrOyGj0s3HLh/FxsZ0K7oTuM0XBIw
HgYDVR0RBBcwFYITd3d3LmdvdXZlcm5lbWVudC5mcjBUBgNVHSAETTBLMAgGBmeB
DAECAjA/BgsqgXoBgTECBQEBATAwMC4GCCsGAQUFBwIBFiJodHRwczovL3d3dy5j
ZXJ0aWduYS5mci9hdXRvcml0ZXMvMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcA
7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFfpQSVqQAABAMASDBG
AiEA/jSjDP08SQifFUNa7TsWoLb68H7o/GhGMg9BgNoumEICIQCbkpGDEXRs5SGC
Du8QBieFRwS9LoO6j4CUTVf6xV6JzwB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEA
KQaNsgiaN9kTAAABX6UElpQAAAQDAEcwRQIgY1hknAZdCmy4RFnuTCsKnMThdYG1
5nS7ltGA5aRYmFcCIQDI5JfIxQBhojZm4tLToyNApKw59ss9WBoKBN+dR7Cj/TAN
BgkqhkiG9w0BAQsFAAOCAgEAp9Qaz8PwCRrWGz2BfUETsjeLFTSmVydZLlwPkEif
Sk1ndqBS58BJai3ydtzT6ixvDfiSnluDtt95LzMzmTJ2U8clJazFVRnoj9J7opGE
i4LwmDwfEAKUjrs+DerSPKpvUPUEDTqzGx9MqvUrvQbjOdsSydpWWW1tjx3NSgRU
UunNsOYMCaDV8Ah6CS7vJpPA201wZ54bE/HozFV/0jnJXg8lbBhXdhKqfmvwf9yL
GGOUSsY4TG8qEMwgL88QWvskDgINE8Ei1kl449CgrP5iEXO38Y2eBnHa+QOX3Faq
4Zv3yE4NQUIdwenHdq6pdWaQX78JVVxuh7lrt2IdEJf9nb7iaZmtZfgwBc7uMKnU
mVf6fvV4d3B4trtEy3DoTemzI9o8P9v3bnZooYRShcKaqVuIFSuEhxVUFyxGZaN/
+JIsKz0gaxAq1mzRTxOXYVdRH694+eIbDjUtURSN+Frn7iBQTpBxZ1NH4iFxvxGX
fKw3LIF6fV8ovmjqV0KNOIFsDyy3lACQ2AnO/E9RdyC90pF2MCfkkM11TkKPuqhg
v9ckOCRiBg82PHwA7ZYu4EeJMPjKYHfSicyKtxYcddP9ztBqlCmb/d7/l5H6s5U5
y5CuCGn+oogF6AD+bNQFjqPP2agUapUoF5Hz+s2/dyZj+2n6QGwzbbnQcgXnefvZ
QP0=
-----END CERTIFICATE-----
subject=C = FR, L = PARIS SP 07, O = DIR DES SERVICES ADMINIST ET FINANCIERS, OU = 0002 12000103700015, organizationIdentifier = NTRFR-12000103700015, CN = www.gouvernement.fr, serialNumber = S7158001

issuer=C = FR, O = DHIMYOTIS, OU = 0002 48146308100036, organizationIdentifier = NTRFR-48146308100036, CN = Certigna Services CA

---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4050 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1585136435
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

---

i can provide more details if needed

Relate-to: https://twitter.com/RzrFreeFr/status/1242778454510243840

[Darkspirit]

Yes, this issue is a duplicate of https://github.com/ssllabs/ssllabs-scan/issues/465#issuecomment-554669595.

[edmorley]

Hi! Heroku has recently released its new stack, Heroku-20, which is now based on Ubuntu 20.04 rather than Ubuntu 18.04.

We're getting a number of reports of users who are seeing the openssl wrong signature type errors due to Ubuntu 20.04 having changed the OpenSSL default SECLEVEL to 2.

It would be great if the SSL Labs test correctly identified these broken server implementations, since currently it reports success, making it a hard sell to try and convince users that it's the third party server that is broken - particularly since these broken implementations still typically work in browsers.

Many thanks :-)

[derhagen]

A lot of websites that get an A rating are not viewable on Fedora 33 + Firefox since they introduced their new crypto policies. Several admins ignored my bug report pointing to their good SSLLabs rating.

[dilyanpalauzov]

www.euroclear.com is such a site, which according to SSLLabs works under Firefox, but under Fedora/Firefox it does not.