Hodie IV Id. Aug. MMX, Jakob Bohm scripsit: [...] > The issue is which PRF to use when TLS version <= 1.1 but ciphersuite > is from RFC5246 Appendix A. The TLS 1.1 and older standards then > insist on the old PRF no matter what cipher suite is used, while the > cipher suite definitions (in RFC5246 Appendix A) specify a PRF function > aspect, which the old TLS versions do not know about.
That's right. This notion of a ciphersuite-selected PRF doesn't exist for TLS1.1 and older protocols, and TLS1.2 defined new ciphersuites all specify SHA256 as the PRF. Using these ciphersuites with the old PRF would then be invalid. Enforcing this would be problematic, since you keep the same cipher identifiers on the wire, with different behaviours depending on the protocol. > You did not state if GNUTLS can use the new ciphersuites with a TLS > version <= 1.1 and what it does in that situation, could you please > check that specifically, as you seem to have the right part of the > GNUTLS code handy. Reading the source, the ciphersuite list is built by removing ciphers not valid with the negociated protocol version. Whence, TLS1.2 ciphersuites can't be used with a TLS1.1 or older connection. That's confirmed by analyzing what is sent on the wire (a GNUTLS client talking to an Apache+mod_ssl server). If this check is removed, I think the PRF function used will be based on the protocol version, not the selected cipher. TLS1.2 will use SHA256, any other will use the old MD5+SHA1. Anyway, if you modify the source, you can do anything you want. -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org