On 09-08-2010 19:09, Erwann ABALEA wrote:
Hodie V Id. Aug. MMX, Erwann ABALEA scripsit:
[...]
This is not possible, as the ciphersuites defined by RFC5246 all
use P_SHA256 as the PRF (paragraph 1.2).
In paragraph 5, it is said "New cipher suites MUST explicitely specify
a PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a
stronger standard hash function". That's precisely what is done, since
new ciphersuites use P_SHA256 as the PRF. Using the old PRF with the
new ciphersuites is not standard at all.
I just checked NSS (3.12.6) and GNUTLS (2.11.0).
NSS doesn't support TLS1.2 at all, neither the protocol nor the
ciphersuites. Some code needs to be adapted to specify the PRF to be
used.
GNUTLS supports TLS1.2, with its ciphersuites, and all the new
ciphersuites use SHA256 as the PRF. If a new ciphersuite with a
stronger hash function is defined as its PRF, then GNUTLS would have
to be modified (right now the selection of the PRF is done by the TLS
version from which the ciphersuite is issued).
So, using the old PRF with new ciphersuites is nonstandard, but could
also lead to interoperability problems.
The issue is which PRF to use when TLS version <= 1.1 but ciphersuite
is from RFC5246 Appendix A. The TLS 1.1 and older standards then
insist on the old PRF no matter what cipher suite is used, while the
cipher suite definitions (in RFC5246 Appendix A) specify a PRF function
aspect, which the old TLS versions do not know about.
You did not state if GNUTLS can use the new ciphersuites with a TLS
version <= 1.1 and what it does in that situation, could you please
check that specifically, as you seem to have the right part of the
GNUTLS code handy.
P.S.
Sorry if I got the Appendix letter wrong, I am typing from memory.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
