[gnutls-devel] GnuTLS & setting KX algorithm for session

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Nov 30 15:27:25 CET 2016

On Wed, Nov 30, 2016 at 10:04 AM, Dmitry Eremin-Solenikov
<dbaryshkov at gmail.com> wrote:
> Hello,
> I'm developing new KX handler in GnuTLS (for GOST TLS). Right now I'm observing
> that during the call to gnutls_generate_client_crt_vrfy() callback,
> the gnutls_kx_get()
> function returns 0 (KX_UNKNOWN) for this session instead of the correct KX.
> Is it my fault, bug or misfeature?

Thanks, nice catch. It is both a bug and a feature. Key usage
violations were tolerated since 3.1.4 due to many server
misconfigurations (e.g., server restricting the certificate to
signining but attempting encryption). So it seems that at some point
the checking code became a no-op. You finding is a good opportunity to
rewrite that part and enable such detection without damaging


More information about the Gnutls-devel mailing list