[gnutls-devel] GnuTLS | gnutls-cli should support multiple certificates for PQC hybrid/transitional scenarios (#1758)

[Read-only notification of GnuTLS library development activities]

Daniel P_ Berrangé created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1758



The `gnutls-serv` tool supports loading multiple certificate identities for a server, allowing the admin to provide a cert with RSA and a cert with ML-DSA. This allows a client to negotiate a session with either traditional or PQC algorithms.

Consider if a `gnutls-serv` is launched with `--require-client-cert --verify-client-cert`.  At the time `gnutls-cli` is launched, the admin does not necessarily know if the connection to the server will be using RSA or ML-DSA, so does not know which client certificate to provide as its identity. 

If `gnutls-cli` supported loading multiple certificates, then gnutls could provide the correct client identity depending on what the session with the server negotiated.

The gnutls APIs appear to already do the right thing with handling multiple client certs if the app calls `gnutls_certificate_set_x509_key` multiple times. Just the glue for `gnutls-cli` appears missing.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1758
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251030/56334f5e/attachment.html>