diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-04-04 17:01:24 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-04-04 17:11:04 +0200 |
commit | 005a4d04145707daad9588acedfdb5f6cd97c80c (patch) | |
tree | fa8ffee9efd8e900b65d925c90fee64d5a190d9b /tests/tls13-cert-key-exchange.c | |
parent | 344c77b755f68370a098b90ef2ce981b829dd534 (diff) | |
download | gnutls-005a4d04145707daad9588acedfdb5f6cd97c80c.tar.gz |
cert auth: reject auth if no signature algorithm is usable in TLS 1.3
Previously, when there is no overlap between usable signature
algorithms and the "signature_algorithms" extension in Certificate
Request, the client failed in sending Certificate Verify, followed by
a connection close. In TLS 1.3, it is possible to keep the connection
but reject the authentication by not sending Certificate Verify.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'tests/tls13-cert-key-exchange.c')
-rw-r--r-- | tests/tls13-cert-key-exchange.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tests/tls13-cert-key-exchange.c b/tests/tls13-cert-key-exchange.c index d59811c760..0eae61c44f 100644 --- a/tests/tls13-cert-key-exchange.c +++ b/tests/tls13-cert-key-exchange.c @@ -135,7 +135,7 @@ void doit(void) try_with_key_fail("TLS 1.3 with rsa-pss cert and rsa cli cert with only RSA-PSS sig algos", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512", - GNUTLS_E_AGAIN, GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY, + GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_E_SUCCESS, &server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &cli_ca3_cert, &cli_ca3_key); try_with_key_fail("TLS 1.3 with rsa encryption cert", |