[PATCH] client-side TLS 1.2 support
Simon Josefsson
simon at josefsson.org
Mon Aug 31 15:33:54 CEST 2009
Daiki Ueno <ueno at unixuser.org> writes:
>>>>>> In <87fxbdjt8v.fsf_-_ at mocca.josefsson.org>
>>>>>> Simon Josefsson <simon at josefsson.org> wrote:
>> Daiki Ueno <ueno at unixuser.org> writes:
>
>> >> Finishing the TLS 1.2 support and adding the new cipher suites is a
>> >> high-priority task and it shouldn't be too difficult since there are TLS
>> >> 1.2 test servers out there to test with.
>> >
>> > Thanks for the hint. I'll check which features of TLS 1.2 are not
>> > implemented. Adding HMAC-SHA256 cipher suites looks one thing to do.
>
>> Actually TLS 1.2 is not working in GnuTLS now, the drafts changed how
>> the negotiation worked after I implemented it and I never found time to
>> update it to support the protocol defined by the final RFC.
>
> I just realized it ;-)
>
> I'm attaching a set of patches to provide minimal fix for client side
> TLS 1.2 support. I've confirmed them working against Mike's test
> server:
>
> $ gnutls-cli --debug 10 --protocols TLS1.2 -p 443 www.mikestoolbox.net
Confirmed, also working against
https://tls.woodgrovebank.com/
Before we enable TLS 1.2 by default, I think what is missing are:
* Check server-side TLS 1.2
* Add SHA-2 ciphersuites
* Add self-test of TLS 1.2 ciphers/features
/Simon
More information about the Gnutls-devel
mailing list