[gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Feb 14 22:35:44 CET 2019
I wouldn't disable TLS1.3 if these groups are enabled in priority string:
- it would be quite easy to disable TLS1.3 by misconfiguring priority string
- it might make a sensible configuration for a server to support TLS1.3 with ECDSA, while falling back to TLS1.2 if client requests GOST cipher suite.
I'm actually more concerned about the other direction: if client specifies TLS 1.3 and one of these groups (together with other known ones) we should not fail negotiation (currently GnuTLS will return icorrect_parameter, because GOST groups are not supported in key_share extension). So my first target is to ignore these groups when TLS 1.3 is selected.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_141500564
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel