[gnutls-devel] GnuTLS | Draft: priority: add %FORCE_SESSION_HASH modifier (!1711)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Feb 27 16:33:19 CET 2023
Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1711#note_1293631421
To make them pass under FIPS, as `%FORCE_SESSION_HASH` is the default, we need to think about the library behavior for the following cases:
- the negotiated version is either SSL 3.0 or DTLS 0.9 (i.e., EMS cannot be used)
- either `%NO_EXTENSIONS` or `%NO_SESSION_HASH` is used
For the former, I guess we could simply allow absence of EMS for those protocols; we could disable them in configuration file.
For the latter, we probably should have a way to invalidate the effect of implicit `%FORCE_SESSION_HASH`, while we want to ensure that the use of EMS is somehow enforced.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1711#note_1293631421
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel