[gnutls-devel] GnuTLS | New priority string: `%NO_EC_POINT_FORMAT` (and, test in gnutls-cli-debug) (#1448)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Jan 25 22:24:12 CET 2023

Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1448

In TLS 1.3, the EC Point Format extension is deprecated.  It looks like some TLS servers (at least those from [Vencel](https://vencel.com)) appear to send a handshake failure alert if the ClientHello does not contain an `ec_point_format` extension.

It would be useful to introduce a new priority string named something like `%NO_EC_POINT_FORMAT` which would cause the TLS client to omit the extension entirely.  It would also be a useful test to add to `gnutls-cli-debug`.  This test would report whether the handshake succeeds if the extension is omitted.


Note: I discovered this [looking into a failure with RIPE Atlas probes](https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/pull/15), after some manual testing.  GnuTLS doesn't have a problem connecting to Vencel servers, but the probe did.  Having a way to diagnose the connection failure directly from the `gnutls-cli-debug` would have made my testing simpler and easier.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1448
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230125/fc3395b3/attachment.html>

More information about the Gnutls-devel mailing list