Hello, the API reference manaual says this about gnutls_certificate_set_dh_params():
| gnutls_certificate_set_dh_params is deprecated and should not be used in | newly-written code. | | This function is unnecessary and discouraged on GnuTLS 3.6.0 or later. | Since 3.6.0, DH parameters are negotiated following RFC7919. Which I would read as "when upgrading code to (only) work with gnutls 3.6.0 one should delete any gnutls_certificate_set_dh_params()-invocations since they are unnecessary because GnuTLS will automatically do RFC7919 negotiation." However it looks like (see below) that is not true, there is no automation but gnutls_certificate_set_dh_params needs to be replaced with gnutls_certificate_set_known_dh_params (). To verify this, take ex-serv-x509 and remove gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); After this change openssl s_client -connect localhost:5556 -cipher DHE-RSA-AES256-GCM-SHA384 -tls1_2 will fail. cu Andreas https://github.com/rbsec/sslscan/issues/214 https://bugs.debian.org/968145 -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' _______________________________________________ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help
