GNU TLS 2.9.9 , sign/hash extension support

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU TLS 2.9.9 , sign/hash extension support

From:	Manish Patidar
Subject:	GNU TLS 2.9.9 , sign/hash extension support
Date:	Mon, 8 Mar 2010 22:33:47 +0530

Hi ,

I was going through the GNU TLS 2.9.9 source code that support TLS 1.2.
I have following doubts in gnutls that support of TLS 1.2 rfc

1. While selecting server cert and chain, GNUTLS just compare server certificate with client requested sign/hash extension, not the whole chain.
    if it matched one of the server certificate , it will select the chain.
but according to TLS 1.2 , whole chain must matched with one of the sign/hash algo supported by client.

    Is my understanding is correct ..?

    If not , how and which part of code GNU TLS compare the sign/hash algo with the whole chain.

2. While selecting client cert list in response of client cert request, GNU TLS doesn't use parsed sign/hash algo supported server.
it just use the cert type and dns name for selecting cert chain ,not sign/hash algo
but according to TLS 1.2 , client must compare and select cert chain that matches with one of the sign/hash supported by server.

    Please let me know if am correct or not.

    Please provide some of your valuable inputs which clarify above point

Regards
Manish

[Prev in Thread]

Current Thread

[Next in Thread]

GNU TLS 2.9.9 , sign/hash extension support, Manish Patidar <=

Next by Date: GnuTLS VirtualHost with properly signed certificates
Next by thread: GnuTLS VirtualHost with properly signed certificates
Index(es):
- Date
- Thread