TLS 1.2 server

Daiki Ueno ueno at
Wed Sep 30 12:47:12 CEST 2009

>>>>> In <87r5tp56c4.fsf at> 
>>>>>	Simon Josefsson <simon at> wrote:
> What do you think we should do about the CertificateRequest
> supported_signature_algorithms field?  I think the application may want
> to look at the server preference when deciding which certificate to use,
> and GnuTLS may want to use this information internally too, when it is
> selecting the certificate.

I have thought of something like:

* Provide the following default ordering of algorithms:


  * is only available if RSA certificate is given
  + is only available if DSA certificate is given

* The application may supply the preference through a priority string
  like this: "+SIGN_RSA_SHA256:-SIGN_RSA_SHA384:!SIGN_RSA_SHA1", where
  "+" moves the given algorithm to the top, "-" moves it to the bottom,
  and "!"  disables it.

Any thoughts?

Daiki Ueno

More information about the Gnutls-devel mailing list