GNU TLS 2.9.9 , sign/hash extension support
Manish Patidar
mann.patidar at gmail.com
Mon Mar 8 18:21:45 CET 2010
Hi ,
I was going through the GNU TLS 2.9.9 source code that support TLS 1.2.
I have following doubts in gnutls that support of TLS 1.2 rfc
1. While selecting server cert and chain, GNUTLS just compare server
certificate with client requested sign/hash extension, not the whole chain.
if it matched one of the server certificate , it will select the chain.
but according to TLS 1.2 , whole chain must matched with one of the
sign/hash algo supported by client.
Is my understanding is correct ..?
If not , how and which part of code GNU TLS compare the sign/hash algo
with the whole chain.
2. While selecting client cert list in response of client cert request, GNU
TLS doesn't use parsed sign/hash algo supported server.
it just use the cert type and dns name for selecting cert chain ,not
sign/hash algo
but according to TLS 1.2 , client must compare and select cert chain
that matches with one of the sign/hash supported by server.
Please let me know if am correct or not.
Please provide some of your valuable inputs which clarify above point
Regards
Manish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100308/80b0bd4c/attachment.htm>
More information about the Gnutls-devel
mailing list