[gnutls-devel] GnuTLS & setting KX algorithm for session
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Nov 30 15:27:25 CET 2016
On Wed, Nov 30, 2016 at 10:04 AM, Dmitry Eremin-Solenikov
<dbaryshkov at gmail.com> wrote:
> Hello,
>
> I'm developing new KX handler in GnuTLS (for GOST TLS). Right now I'm observing
> that during the call to gnutls_generate_client_crt_vrfy() callback,
> the gnutls_kx_get()
> function returns 0 (KX_UNKNOWN) for this session instead of the correct KX.
>
> Is it my fault, bug or misfeature?
Thanks, nice catch. It is both a bug and a feature. Key usage
violations were tolerated since 3.1.4 due to many server
misconfigurations (e.g., server restricting the certificate to
signining but attempting encryption). So it seems that at some point
the checking code became a no-op. You finding is a good opportunity to
rewrite that part and enable such detection without damaging
usability.
regards,
Nikos
More information about the Gnutls-devel
mailing list