[gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Nov 23 21:08:40 CET 2019
Nikos Mavrogiannopoulos commented on a discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249441723
> + },
> + {
> + .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert",
> + .server_ret = 0,
> + .client_ret = 0,
> + .have_cert_cred = 1,
> + .have_gost12_512_cert = 1,
> + .not_on_fips = 1,
> + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2",
> + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION,
> + .exp_version = GNUTLS_TLS1_2,
> + },
> + /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST
> + * but this is unsuppored for now */
> + {
> + .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert",
I read it, and makes sense in the "protocol" view, but not necessarily with this project view. When we brought TLS1.3 we took extensive measures to eliminate these exact scenarios. gnutls will not fail if you negotiate
- srp
- rsa-psk
- supplemental data
- anonymous ciphersuites
That sets in my opinion, a bar which we shouldn't get under for the GOST. We should have connection failures only as a result of a bug, not by design (see also my comment on #862 - it is a similar protocol issue).
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_249441723
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191123/03bbaccd/attachment-0001.html>
More information about the Gnutls-devel
mailing list