[gnutls-dev] Server->client cert. request not TLS 1.2-compatible

Ludovic Courtès ludovic.courtes at laas.fr
Mon Dec 18 19:19:52 CET 2006


Hi,

`_gnutls_gen_cert_server_cert_req ()' is not TLS 1.2-aware, unlike
`_gnutls_proc_cert_cert_req ()'.  Specifically TLS 1.2 requires (per
`draft-ietf-tls-rfc4346-bis-02.txt') certificate request messages to
include a `certificate_hash' sequence.  While `proc_cert_cert_req' does
expect and read this sequence when in TLS 1.2,
`gen_cert_server_cert_req' does not issue that sequence.

A temporary workaround that may only works with GnuTLS-based TLS 1.2
clients/servers is attached: basically, it modifies
`gen_cert_server_cert_req' so that it produces an empty hash algorithm
sequence.

Again, if need be, I'd be glad to provide a real fix based on your
input.

Thanks,
Ludovic.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: ,,cert-req-tls-1-2.diff
Type: text/x-diff
Size: 703 bytes
Desc: The hack
URL: </pipermail/attachments/20061218/d1bbccbd/attachment.diff>


More information about the Gnutls-devel mailing list