<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div>

<p dir="auto">Aha. Unfortunately, there is not much we can do for that. The TLS1.3 handshake is:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"></span>

<span id="LC2" class="line" lang="plaintext">       Client                                           Server</span>

<span id="LC3" class="line" lang="plaintext"></span>

<span id="LC4" class="line" lang="plaintext">Key  ^ ClientHello</span>

<span id="LC5" class="line" lang="plaintext">Exch | + key_share*</span>

<span id="LC6" class="line" lang="plaintext">     | + signature_algorithms*</span>

<span id="LC7" class="line" lang="plaintext">     | + psk_key_exchange_modes*</span>

<span id="LC8" class="line" lang="plaintext">     v + pre_shared_key*       --------></span>

<span id="LC9" class="line" lang="plaintext">                                                  ServerHello  ^ Key</span>

<span id="LC10" class="line" lang="plaintext">                                                 + key_share*  | Exch</span>

<span id="LC11" class="line" lang="plaintext">                                            + pre_shared_key*  v</span>

<span id="LC12" class="line" lang="plaintext">                                        {EncryptedExtensions}  ^  Server</span>

<span id="LC13" class="line" lang="plaintext">                                        {CertificateRequest*}  v  Params</span>

<span id="LC14" class="line" lang="plaintext">                                               {Certificate*}  ^</span>

<span id="LC15" class="line" lang="plaintext">                                         {CertificateVerify*}  | Auth</span>

<span id="LC16" class="line" lang="plaintext">                                                   {Finished}  v</span>

<span id="LC17" class="line" lang="plaintext">                               <--------  [Application Data*]</span>

<span id="LC18" class="line" lang="plaintext">     ^ {Certificate*}</span>

<span id="LC19" class="line" lang="plaintext">Auth | {CertificateVerify*}</span>

<span id="LC20" class="line" lang="plaintext">     v {Finished}              --------></span>

<span id="LC21" class="line" lang="plaintext">       [Application Data]      <------->  [Application Data]</span></code></pre>

<p dir="auto">meaning that the client has seen the client finished before he sends his certificate. That is, the server has no way to indicate rejection of the session due to certificate in the normal handshake, thus <code>gnutls_handshake()</code> for the client will not see that error.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/615#note_116321087">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/c83c9cf0a24f714c93d12c6b5331b879/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/615#note_116321087"}}</script>

</p>

</div>

</body>

</html>