My client certificate is stored in a crypto device which not support RSA+SHA1 signature(Restrictions on sha1, sha256 and others are fine), but when I configure my server to support TLSv1.2, it seems that IE always pick RSA+SHA1 as the hash and signature algorithm for client certificate verify, which is not my server's favorite, supported algorithms in client certificate request package are listed below(last three are SHA1 related):
06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03
I have read the rfc5246, it only says that client should choose a pair listed above(please point out my misunderstanding if any),not a specific one.
How IE choose a hash algorithm? Is there any way to configure IE to use a hash algorithm other than SHA1? Or I have to configure my server not to suport SHA1 in client certificate request?