[gnutls-devel] GnuTLS | DH RFC7919 negotiation not enabled automatically (#1077)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Aug 29 19:47:50 CEST 2020




Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1077#note_404205950

> do you think it is preferable to not offer TLS1.2 DHE ciphers suites than doing something equal to gnutls_certificate_set_known_dh_params() by default?

No. I'm only saying that, if none of `gnutls_certificate_set_known_dh_params` nor `gnutls_certificate_set_known_dh_params` is called, the server can only accept DHE through the RFC7919 way, that requires the client to advertise "supported_groups".

If the server wants to support clients that don't send "supported_groups" in TLS 1.2, the server still needs to call `gnutls_certificate_set_known_dh_params`, whose documentation should be updated accordingly I think.

But yes, I'm not the one who designed this deprecation, so the actual intention might be to make this fully automatic. I don't know. Perhaps @dkg might have an opinion on that.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1077#note_404205950
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200829/d64f3ab5/attachment.html>


More information about the Gnutls-devel mailing list