[PATCH] client-side TLS 1.2 support

Simon Josefsson simon at josefsson.org
Mon Aug 31 15:33:54 CEST 2009


Daiki Ueno <ueno at unixuser.org> writes:

>>>>>> In <87fxbdjt8v.fsf_-_ at mocca.josefsson.org> 
>>>>>>	Simon Josefsson <simon at josefsson.org> wrote:
>> Daiki Ueno <ueno at unixuser.org> writes:
>
>> >> Finishing the TLS 1.2 support and adding the new cipher suites is a
>> >> high-priority task and it shouldn't be too difficult since there are TLS
>> >> 1.2 test servers out there to test with.
>> >
>> > Thanks for the hint.  I'll check which features of TLS 1.2 are not
>> > implemented.  Adding HMAC-SHA256 cipher suites looks one thing to do.
>
>> Actually TLS 1.2 is not working in GnuTLS now, the drafts changed how
>> the negotiation worked after I implemented it and I never found time to
>> update it to support the protocol defined by the final RFC.
>
> I just realized it ;-)
>
> I'm attaching a set of patches to provide minimal fix for client side
> TLS 1.2 support.  I've confirmed them working against Mike's test
> server:
>
>  $ gnutls-cli --debug 10 --protocols TLS1.2 -p 443 www.mikestoolbox.net

Confirmed, also working against

https://tls.woodgrovebank.com/

Before we enable TLS 1.2 by default, I think what is missing are:

* Check server-side TLS 1.2
* Add SHA-2 ciphersuites
* Add self-test of TLS 1.2 ciphers/features

/Simon





More information about the Gnutls-devel mailing list