diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-23 08:37:50 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-25 14:26:38 +0200 |
| commit | 1bec2f8c843eb6937bce4106bf9ff7fa3f7410f5 (patch) | |
| tree | 4e9c375ad11fe81f4d87d6b3d488a17b13800552 /NEWS | |
| parent | 0ad717cf20fa2ac4c1c293ff6662707704da10f7 (diff) | |
| download | gnutls-1bec2f8c843eb6937bce4106bf9ff7fa3f7410f5.tar.gz | |
signature: on client side, refuse to negotiate non-enabled signature schemes
That amends/reverts commit 6aa8c390b08a25b18c0799fbd42bd0eec703fae4:
"On client side allow signing with the signature algorithm of our cert"
Previously, when we initially disabled DSA, we allowed client certificates
which can do DSA-SHA1 to be utilized to ease migration from these certificates.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -23,6 +23,14 @@ See the end for copying conditions. TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm in TLS 1.2. As such, no reason to keep supporting it. +** libgnutls: Refuse to use client certificates containing disallowed + algorithms for a session. That reverts a change on 3.5.5, which allowed + a client to use DSA-SHA1 due to his old DSA certificate, without requiring him + to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). + The previous approach was to allow a smooth move to client infrastructure + after the DSA algorithm became disabled by default, and is no longer necessary + as DSA is now being universally depracated. + ** p11tool: added options --sign-params and --hash. This allows testing signature with multiple algorithms, including RSA-PSS. |