[gnutls-dev] Server->client cert. request not TLS 1.2-compatible
Ludovic Courtès
ludovic.courtes at laas.fr
Mon Dec 18 19:19:52 CET 2006
Hi,
`_gnutls_gen_cert_server_cert_req ()' is not TLS 1.2-aware, unlike
`_gnutls_proc_cert_cert_req ()'. Specifically TLS 1.2 requires (per
`draft-ietf-tls-rfc4346-bis-02.txt') certificate request messages to
include a `certificate_hash' sequence. While `proc_cert_cert_req' does
expect and read this sequence when in TLS 1.2,
`gen_cert_server_cert_req' does not issue that sequence.
A temporary workaround that may only works with GnuTLS-based TLS 1.2
clients/servers is attached: basically, it modifies
`gen_cert_server_cert_req' so that it produces an empty hash algorithm
sequence.
Again, if need be, I'd be glad to provide a real fix based on your
input.
Thanks,
Ludovic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ,,cert-req-tls-1-2.diff
Type: text/x-diff
Size: 703 bytes
Desc: The hack
URL: </pipermail/attachments/20061218/d1bbccbd/attachment.diff>
More information about the Gnutls-devel
mailing list