[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnutls-dev] Server->client cert. request not TLS 1.2-compatible
|
From: |
Ludovic Courtès |
|
Subject: |
[gnutls-dev] Server->client cert. request not TLS 1.2-compatible |
|
Date: |
Mon, 18 Dec 2006 19:19:52 +0100 |
|
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) |
Hi,
`_gnutls_gen_cert_server_cert_req ()' is not TLS 1.2-aware, unlike
`_gnutls_proc_cert_cert_req ()'. Specifically TLS 1.2 requires (per
`draft-ietf-tls-rfc4346-bis-02.txt') certificate request messages to
include a `certificate_hash' sequence. While `proc_cert_cert_req' does
expect and read this sequence when in TLS 1.2,
`gen_cert_server_cert_req' does not issue that sequence.
A temporary workaround that may only works with GnuTLS-based TLS 1.2
clients/servers is attached: basically, it modifies
`gen_cert_server_cert_req' so that it produces an empty hash algorithm
sequence.
Again, if need be, I'd be glad to provide a real fix based on your
input.
Thanks,
Ludovic.
--- orig/lib/auth_cert.c
+++ mod/lib/auth_cert.c
@@ -1403,6 +1403,7 @@
gnutls_certificate_credentials_t cred;
int size;
opaque *pdata;
+ gnutls_protocol_t ver = gnutls_protocol_get_version (session);
/* Now we need to generate the RDN sequence. This is
* already in the CERTIFICATE_CRED structure, to improve
@@ -1439,6 +1440,13 @@
pdata[2] = DSA_SIGN; /* only these for now */
pdata += CERTTYPE_SIZE;
+ if (ver == GNUTLS_TLS1_2)
+ {
+ /* supported hashes (nothing for now -- FIXME) */
+ *pdata = 0;
+ pdata++, size++;
+ }
+
if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
session->internals.ignore_rdn_sequence == 0)
{
- [gnutls-dev] Server->client cert. request not TLS 1.2-compatible,
Ludovic Courtès <=