Support for trusted_ca_keys extension during TLS handshake

David Fuhrmann david.fuhrmann at
Wed Oct 31 13:22:53 CET 2012

2012/10/31 Nikos Mavrogiannopoulos <nmav at>

> On Tue, Oct 30, 2012 at 4:45 PM, David Fuhrmann
> <david.fuhrmann at> wrote:
> > Hello,
> >
> > Currently, I am searching for a TLS library that already supports the
> > trusted_ca_keys extension inside the extended client hello message as
> > described here:
> GnuTLS doesn't support this extension. You can check the capabilities
> of various implementations at:
> The particular extension that you're looking for isn't listed meaning
> it may not be implemented by anyone.

Hi Nikos,

Yes, I already found this page. This extension isn't listed on the page,
but I thought that this does not necessarily mean that it is not supported
any library.

But as far as I could find out, even openssl seems to not support this
particular extension.

> > As it is quite difficult to find any information about an implementation
> for
> > that over google search, I want to ask you if this extension is already
> (or
> > soon) be supported by GnuTLS? If not, does anybody know another
> > implementation / library which already supports this extension?
> It is not in our plans to implement since it doesn't look particularly
> useful/interesting. If you submit a patch however it may be included.
> What is your use case for this extension?

I have the situation that an embedded system only has a limited and static
set of CA
certificates installed (at production time). For these CA certificates, it
is intended that you
can have newer ones with an overlaping validity period. So, the server
needs to know
which tls certificate he needs to deliver so that the embedded system can
verify it with
the existing CA certificate.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121031/59bfa4cf/attachment.htm>

More information about the Gnutls-devel mailing list