[gnutls-devel] RFC 7250 and API change

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon May 2 09:22:54 CEST 2016

On Mon, May 2, 2016 at 8:14 AM, Rick van Rein <rick at openfortress.nl> wrote:
> Hello Nikos,
> Tom and I are working on
> https://tools.ietf.org/html/draft-vanrein-tls-kdh-03
> which implements Kerberos tickets as you suggested, per RFC 7250.
> What we run into is probably a break with the GnuTLS API, and we'd like
> to hear > your opinion on this.
> The call to gnutls_certificate_type_get() seems to make an implicit
> assumption
> that the same certificate type is used in both directions, but with RFC 7250
> (which we are now adding) there is a possibility that these are different.
> Applications of GnuTLS might not be aware of this having been added to
> GnuTLS, and may end up being confused.

I think the best approach would be by introducing a new API (e.g.,
gnutls_certificate_type_get2()) which will allow specifying direction
or report for both directions. I think that old applications should
not be an issue because any such extension that enables different
certificate types per direction would have to be enabled explicitly
via a flag for a example to gnutls_init(). I haven't thought of it
much though. Does the above make sense?


More information about the Gnutls-devel mailing list