[gnutls-devel] GnuTLS | Draft: priority: add %FORCE_SESSION_HASH modifier (!1711)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Feb 27 16:33:19 CET 2023




Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1711#note_1293631421

To make them pass under FIPS, as `%FORCE_SESSION_HASH` is the default, we need to think about the library behavior for the following cases:
- the negotiated version is either SSL 3.0 or DTLS 0.9 (i.e., EMS cannot be used)
- either `%NO_EXTENSIONS` or `%NO_SESSION_HASH` is used

For the former, I guess we could simply allow absence of EMS for those protocols; we could disable them in configuration file.

For the latter, we probably should have a way to invalidate the effect of implicit `%FORCE_SESSION_HASH`, while we want to ensure that the use of EMS is somehow enforced.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1711#note_1293631421
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230227/1961772d/attachment.html>


More information about the Gnutls-devel mailing list