Carolin Latze <[email protected]> writes: > Hi Simon, > > I tried to use TLS 1.2 with and without sign callback, and I still see a > signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't > it be max 35 then?
Hi, and thanks for testing. Nope, then it doesn't work. :-( I recall the SHA-1 OID plus the SHA-1 hash is 32 bytes. I suspect this indicate that signing using _client_ certificates haven't been made working with TLS 1.2 yet. I'll try to get an environment up where I can start debug this better. It should be possible to get something working now that both Opera 10 and mikestoolbox.* are available for testing. > Maybe we should check, whether I check the right variables: > > In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure > called dconcat. dconcat.size holds the hash size, right? and > dconcat.data should hold the hash itself? dconcat.size has a value of 36 > for me... > > If I use the sign callback, I print the value of hash->size (=36) and > hash->data (cannot see the OID included in that value, so for me it > looks like it is really not SHA-1 only). > > Maybe I check the wrong values? No you did right -- if it works, the first few bytes of the data to sign should be an OID which should be easy to identify. /Simon > BTW: I used the latest Snapshot, 2.9.8 to test it. > > Sorry... :-/ > Carolin > > Simon Josefsson wrote: >> Carolin Latze <[email protected]> writes: >> >> >>> Hi all, >>> >>> according to RFC 5246, TLS 1.2 should use a standard signature, but if >>> I enable TLS 1.2 in GnuTLS and print out the hash size it says >>> 36... that does not sound like a standard signature.. I would expect >>> something like 20 for SHA1. Am I wrong? >>> >> >> Hi! With GnuTLS 2.9.7 I hope this should work better -- could you take >> a look? It should have more solid TLS 1.2 support. >> >> Thanks, >> Simon >> _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
