[gnutls-devel] GnuTLS | Add GOST-CNT ciphersuite support (!1119)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Nov 13 12:48:47 CET 2019




Nikos Mavrogiannopoulos started a new discussion on tests/tls13-server-kx-neg.c: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243958794

> +	},
> +	{
> +		.name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert",
> +		.server_ret = 0,
> +		.client_ret = 0,
> +		.have_cert_cred = 1,
> +		.have_gost12_512_cert = 1,
> +		.not_on_fips = 1,
> +		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:" "-VERS-ALL:+VERS-TLS1.2",
> +		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:"PVERSION,
> +		.exp_version = GNUTLS_TLS1_2,
> +	},
> +	/* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST
> +	 * but this is unsuppored for now */
> +	{
> +		.name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert",

Wouldn't that be an obstacle in enabling gost system-wide?

What if we disable TLS1.3 explicitly to clients and servers which enable GOST? Alternatively, should we be passing the ciphersuite list to the version negotiation extension to identify whether TLS1.3 should be skipped?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1119#note_243958794
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191113/fe26c0e7/attachment.html>


More information about the Gnutls-devel mailing list