<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p class="details" style="font-style: italic; color: #777777;">
<a href="https://gitlab.com/nmav">Nikos Mavrogiannopoulos</a>
commented on a discussion
on <a href="https://gitlab.com/gnutls/gnutls/merge_requests/806#note_118010022">lib/constate.c</a>:
</p>
<table>
<tr class="line_holder" id="">
<td class="diff-line-num old_line" data-linenumber="743" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
743
</td>
<td class="diff-line-num new_line" data-linenumber="743" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
743
</td>
<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">
<pre style="margin: 0;"> <span id="LC743" class="line" lang="c"><span class="cp" style="color: #999; font-weight: 600;"> dst->prf = src->prf; \</span></span>
</pre>
</td>
</tr>
<tr class="line_holder" id="">
<td class="diff-line-num old_line" data-linenumber="744" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
744
</td>
<td class="diff-line-num new_line" data-linenumber="744" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
744
</td>
<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">
<pre style="margin: 0;"> <span id="LC744" class="line" lang="c"><span class="cp" style="color: #999; font-weight: 600;"> dst->grp = src->grp; \</span></span>
</pre>
</td>
</tr>
<tr class="line_holder" id="">
<td class="diff-line-num old_line" data-linenumber="745" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
745
</td>
<td class="diff-line-num new_line" data-linenumber="745" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
745
</td>
<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">
<pre style="margin: 0;"> <span id="LC745" class="line" lang="c"><span class="cp" style="color: #999; font-weight: 600;"> dst->pversion = src->pversion; \</span></span>
</pre>
</td>
</tr>
<tr class="line_holder new" id="">
<td class="diff-line-num new old_line" data-linenumber="746" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">
</td>
<td class="diff-line-num new new_line" data-linenumber="746" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">
746
</td>
<td class="line_content new noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">
<pre style="margin: 0;">+<span id="LC746" class="line" lang="c"><span class="cp" style="color: #999; font-weight: 600;"> dst->client_ctype = src->client_ctype; \</span></span>
</pre>
</td>
</tr>
</table>
<div>
<blockquote dir="auto" style="color: #7f8fa4; border-left-width: 3px; border-left-color: #eaeaea; border-left-style: solid; margin: 0; padding: 0 0 0 15px;">
<p>Following that your first solution adheres to the spec and makes sure that the certificate type negotiation extensions are also renegotiated under TLS 1.3. Indeed we may end up in a situation where there is a certificate type mismatch between the newly negotiated type and the previously exchanged certificate. The question is, is this a problem?</p>
</blockquote>
<p dir="auto">Let's take an example. If we keep the strict RFC behavior, that if we adopt the behavior above, it means that in a resumed session <code>gnutls_certificate_type_get()</code> may return <code>raw</code> while <code>gnutls_certificate_get_peers</code> will return an X.509 certificate. How would you see that behavior as an potential user of these functions? It looks quite dangerous to me, especially if one cert can be read both ways (e.g., a specially crafted one - probably impossible in that example).</p>
<blockquote dir="auto" style="color: #7f8fa4; border-left-width: 3px; border-left-color: #eaeaea; border-left-style: solid; margin: 0; padding: 0 0 0 15px;">
<p>In the former case, should we propose a modification of the spec perhaps for this edge case? What do you think?</p>
</blockquote>
<p dir="auto">The only problematic case would be a situation where a protocol requires negotiation with X.509 certificates, while it allows resuming a session with a different certificate type for use in post-handshake authentication. Not sure how possible is that scenario, and it looks like a harmless limitation but maybe, we can even handle it the following way:</p>
<p dir="auto">if the resumed session negotiates a different certificate than the original one, then all the authentication info data (i.e., certificates from the original session) are cleared up. That way the application will see any empty certificate, and could use the new certificate type in a potential post-handshake auth.</p>
<p dir="auto">What do you think?</p>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/merge_requests/806#note_118010022">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/01d1a2cd35f60ac8439b331e86a70b03/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Merge request","url":"https://gitlab.com/gnutls/gnutls/merge_requests/806#note_118010022"}}</script>
</p>
</div>
</body>
</html>