[gnutls-devel] RFC 7250 and API change

Rick van Rein rick at openfortress.nl
Mon May 2 12:53:22 CEST 2016


Hey Nikos!

> I believe we can easily switch from CTYPE-X509 to CTYPE-RAW or KRB,
> because of the existing support for openpgp keys, but the asymmetric
> certificate negotiation, is not something the current API can
> accommodate without the application being explicitly modified for it.

As stated in this thread's subject ;-)

> However, even if we could avoid that explicit enabling, would that
> really help? I mean is there an application which can transparently
> moved to CTYPE-RAW for client and CTYPE-X509 for server keys without a
> change?

I wrote a certs cred callback for the TLS Pool before looking at RFC 7250.
It simply requests the bidir certtype and delivers what is being asked.
Had it requested the client certtype, then it would have automatically
do what it needed to do.  That is the one change that would have to be
made.  But it's only going to show up everywhere when the bidir certtype
getter stops being linkable; then app developers must choose which to
use.  And from that point on, yes the applications ought to be ready
for it, I'd say.

But that's breaking an API, and this is harsh.  As I said, no really
convenient solutions.  (Another being to have to provide an indicator
forever and ever.)

-Rick



More information about the Gnutls-devel mailing list