[gnutls-devel] GnuTLS | New priority string: `%NO_EC_POINT_FORMAT` (and, test in gnutls-cli-debug) (#1448)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Jan 25 22:24:12 CET 2023
Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1448
In TLS 1.3, the EC Point Format extension is deprecated. It looks like some TLS servers (at least those from [Vencel](https://vencel.com)) appear to send a handshake failure alert if the ClientHello does not contain an `ec_point_format` extension.
It would be useful to introduce a new priority string named something like `%NO_EC_POINT_FORMAT` which would cause the TLS client to omit the extension entirely. It would also be a useful test to add to `gnutls-cli-debug`. This test would report whether the handshake succeeds if the extension is omitted.
Note: I discovered this [looking into a failure with RIPE Atlas probes](https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/pull/15), after some manual testing. GnuTLS doesn't have a problem connecting to Vencel servers, but the probe did. Having a way to diagnose the connection failure directly from the `gnutls-cli-debug` would have made my testing simpler and easier.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1448
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel