[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS 1.2 server

From: Simon Josefsson
Subject: Re: TLS 1.2 server
Date: Tue, 03 Nov 2009 07:35:54 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

Nikos Mavrogiannopoulos <address@hidden> writes:

> Simon Josefsson wrote:
>> That's missing, right.  Client-authentication with TLS 1.2 and
>> certificate signing callbacks doesn't seem to be working right either,
>> the sign callback receives a string of size 36 (SHA1+MD5) but it should
>> be a PKCS#1 SHA1/SHA2 structure.
> Hi,
>  I think I fixed this part during the weekend, however I don't know if
> the value received by the callback is what it is expected.

Great, I'll check it.

Btw, I backed out some patch from the gnutls-2.8 branch because it was
added after I made the release candidate and I didn't want to delay the
release.  The patch looked quite large though, is it really appropriate
for 2.8.x?  TLS 1.2 isn't enabled by default in 2.8 because it never
worked well, so I don't think TLS 1.2 related fixes are suitable for
that branch.

>> Yeah, I know. :-(
>> My plan was to create some helper functions to do the hashing, and set
>> up separate hashing for all of MD5, SHA-1, SHA-2 and let the later code
>> figure out which hash to actually use.  This is wasteful, but that is
>> the TLS 1.2 design.
> I now use only SHA-1 and SHA-256 and wait for a fix in TLS 1.3 :)
> (MD5 is no use for a signature anyway, and the rest... just allow SHA-256 :)

Let's see if it gets fixed...  I'm not holding my breath.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]