[gnutls-devel] multiple keys + certificates for gnutls-serv (and gnutls_certificate_set_key())

[Daniel Kahn Gillmor]

Hi GnuTLS folks--

gnutls-serv limits itself to one --x509keyfile argument, and if you
supply multiple keys and multiple certs, it appears to only use the
first one.

I haven't looked into whether this is handled cleanly in
gnutls_certificate_set_key(), but it's documented as:

>> If multiple certificates are used with the functions above each
>> client’s request will be served with the certificate that matches the
>> requested name (see Server name indication).

it would be good to be able to launch gnutls-serv with multiple
keys and certificates, but multiple names are not the only form of
certificate selection that GnuTLS should do.

A couple of other selections:

 (a) an RSA key and an ECDSA key, to support connections with different
     server signature mechanisms based on ciphersuites.

 (b) one RSA key with a cert marked for signing-only (DHE-RSA, ECDHE-RSA
     key exchanges), and another RSA key with a cert marked for
     encryption only (non-PFS RSA key exchange)

(b) in particular is desirable if we want to defend against a possible
future Bleichenbacher attack, as described by Tibor Jager:

  https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf

So perhaps this is two requests:

 * allow multiple certs in gnutls-serv

 * improve default certificate selection mechanisms based on ciphersuite
   negotiation (both signature algorithms and key exchange algorithms),
   not just server name.

Does this seem reasonable?

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160221/d94097f0/attachment-0001.sig>