[gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Aug 20 11:30:45 CEST 2018


Nikos Mavrogiannopoulos started a new discussion on lib/ext/server_cert_type.c:

>  	ssize_t len = data_size;
>  	const uint8_t* pdata = data;
>  
> -	/* Only activate this extension if cert type negotiation is enabled
> -	 * and we have cert credentials set */
> +	/* Only activate this extension if cert type negotiation is enabled,
> +	 * we are not resuming a session and we have cert credentials set */
>  	if (!_gnutls_has_negotiate_ctypes(session) ||
> +			gnutls_session_is_resumed(session) ||

I think given the previous discussion (that under TLS1.3 the psk extension is last), the `gnutls_session_is_resumed` does not help here.

Under TLS1.2 or earlier if we are resuming only the extensions of type `GNUTLS_EXT_MANDATORY` are parsed (thus not this one), and under TLS1.3 `gnutls_session_is_resumed` will not be active already. As such I think what you suggested (negotiating and ignoring the value), the the only option.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_95465221
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180820/0d21b605/attachment-0001.html>


More information about the Gnutls-devel mailing list