mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
doc update
This commit is contained in:
Nikos Mavrogiannopoulos
6
TODO
6
TODO
@@ -31,10 +31,12 @@ Long term items:
|
||||
|
||||
* Certificate authentication to the main process. Possibly that is just
|
||||
wishful thinking. To verify the TLS client certificate verify signature
|
||||
packet one needs instead of the signature, the contents of all the handshake
|
||||
messages, and knowledge of the negotiated TLS version, in addition to being
|
||||
one needs in addition to the signature, the contents of all the handshake
|
||||
messages, and knowledge of the negotiated TLS version, as well as being
|
||||
able to select the server hello random. That could be done sanely only if
|
||||
gnutls provided facilities to set the server hello random, and override the
|
||||
client signature verification at an early stage before data are hashed
|
||||
(to verify that the set random value was present in the handshake).
|
||||
However, the complexity required to implement that may in fact reduce
|
||||
security rather than increase it.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user