[gnutls-devel] GnuTLS | gnutls_certificate_type_get*: ensure that the default type is returned (!806)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Nov 17 20:31:07 CET 2018


Tom commented on a discussion on lib/constate.c:

>  		dst->prf = src->prf; \
>  		dst->grp = src->grp; \
>  		dst->pversion = src->pversion; \
> +		dst->client_ctype = src->client_ctype; \

A cert type / cert mismatch can indeed lead to parsing / interpretation problems and should therefore be avoided I think. Therefore I think that the solution to pack the originally negotiated params is our best option.

>if the resumed session negotiates a different certificate than the original one, then all the authentication info data (i.e., certificates from the original session) are cleared up. That way the application will see any empty certificate, and could use the new certificate type in a potential post-handshake auth.

Indeed I don't know whether that is a scenario that will be used but if we want to allow it I think this would be a good solution yes. That means that we have to build some extra checks in the cert type negotiation extensions.

One important question is now whether this is an unforeseen use case in the spec and whether the spec should be updated to ensure consistent behavior between different implementations?

How bad is it so deviate from the spec to prevent the possibility to end up in an unwanted scenario?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/806#note_118013331
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181117/96043847/attachment.html>


More information about the Gnutls-devel mailing list