TLS 1.2 server
Daiki Ueno
ueno at unixuser.org
Wed Sep 30 12:47:12 CEST 2009
>>>>> In <87r5tp56c4.fsf at mocca.josefsson.org>
>>>>> Simon Josefsson <simon at josefsson.org> wrote:
> What do you think we should do about the CertificateRequest
> supported_signature_algorithms field? I think the application may want
> to look at the server preference when deciding which certificate to use,
> and GnuTLS may want to use this information internally too, when it is
> selecting the certificate.
I have thought of something like:
* Provide the following default ordering of algorithms:
RSA_SHA512(*)
RSA_SHA384(*)
RSA_SHA256(*)
RSA_SHA1(+)
DSA_SHA1(+)
* is only available if RSA certificate is given
+ is only available if DSA certificate is given
* The application may supply the preference through a priority string
like this: "+SIGN_RSA_SHA256:-SIGN_RSA_SHA384:!SIGN_RSA_SHA1", where
"+" moves the given algorithm to the top, "-" moves it to the bottom,
and "!" disables it.
Any thoughts?
Regards,
--
Daiki Ueno
More information about the Gnutls-devel
mailing list