[gnutls-devel] GnuTLS | WIP: Add support for CNT_IMIT TLS 1.2 GOST cipher suite (!920)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Feb 14 22:35:44 CET 2019

I wouldn't disable TLS1.3 if these groups are enabled in priority string:
 - it would be quite easy to disable TLS1.3 by misconfiguring priority string
 - it might make a sensible configuration for a server to support TLS1.3 with ECDSA, while falling back to TLS1.2 if client requests GOST cipher suite.

I'm actually more concerned about the other direction: if client specifies TLS 1.3 and one of these groups (together with other known ones) we should not fail negotiation (currently GnuTLS will return icorrect_parameter, because GOST groups are not supported in key_share extension). So my first target is to ignore these groups when TLS 1.3 is selected.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/920#note_141500564
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190214/98b1be5b/attachment.html>

More information about the Gnutls-devel mailing list