<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777777;">

<a href="https://gitlab.com/Vrancken">Tom</a>

commented on a discussion

on <a href="https://gitlab.com/gnutls/gnutls/merge_requests/650#note_110877089">doc/cha-gtls-app.texi</a>:

</p>

<table>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="1300" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

1300

</td>

<td class="diff-line-num new_line" data-linenumber="1322" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

1322

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC1322" class="line" lang="plaintext">(i.e. different for the client than for the server).</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="1301" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

1301

</td>

<td class="diff-line-num new_line" data-linenumber="1323" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

1323

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC1323" class="line" lang="plaintext"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="1302" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

1302

</td>

<td class="diff-line-num new_line" data-linenumber="1324" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

1324

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC1324" class="line" lang="plaintext">Currently supported types are:</span>

</pre>

</td>

</tr>

<tr class="line_holder old" id="">

<td class="diff-line-num old old_line" data-linenumber="1303" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

1303

</td>

<td class="diff-line-num new_line old" data-linenumber="1325" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content noteable_line old" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#fbe9eb">

<pre style="margin: 0;">-<span id="LC1303" class="line" lang="plaintext">CTYPE-X509 or CTYPE-X.509. Catch all is CTYPE-ALL.</span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="">

<td class="diff-line-num new old_line" data-linenumber="1304" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="1325" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

1325

</td>

<td class="line_content new noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC1325" class="line" lang="plaintext">CTYPE-X509 or CTYPE-X.509<span class="idiff left right">, CTYPE-RAWPK or CTYPE-RAWPUBKEY</span>. Catch all is CTYPE-ALL.</span>

</pre>

</td>

</tr>

</table>

<div>

<p dir="auto">I propose the following. RFC7250 dictates that the certificate type negotiation extensions will only be sent when non-trivial cert types are set. That means other cert types than the default x.509 type. So this ensure safe default behaviour. We have currently implemented an extra check that toggle these extensions explicitly. This is not necessary anymore when we toggle specific certificate type related functionality via dedicated flags. For example, we can introduce a <code>GNUTLS_ENABLE_RAWPK</code> init flag that toggles whether raw public keys are enabled or not. Even if a user sets the rawpk cert type via the priority strings they will simply be ignored if the init flag is not set. That way the cert type extensions function according to spec but we still have the power to enable/disable specific functionality as an application developer. Looking at my next patch that introduces kerberos authentication we can do the same with a <code>GNUTLS_ENABLE_KDH</code> flag for example.</p>

<p dir="auto">To summarize, I would propose to drop the <code>GNUTLS_ENABLE_CERT_TYPE_NEG</code> flag in favor of dedicated functionality specific flags such as <code>GNUTLS_ENABLE_RAWPK</code> and such. These latter flags will then toggle which cert types will be allowed and which should be ignored during the handshake.</p>

<p dir="auto">What do you think about this? Also, can we remove the <code>GNUTLS_ENABLE_CERT_TYPE_NEG</code> flag and remain ABI compatible? Or don't we really care since this flag is so new that it is probably not being used ATM?</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/merge_requests/650#note_110877089">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/8b4a0f204668003560cfdddfe070e5ce/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Merge request","url":"https://gitlab.com/gnutls/gnutls/merge_requests/650#note_110877089"}}</script>

</p>

</div>

</body>

</html>