Add a TODO(TLS1.3) around certificate selection

Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2157)
author: Matt Caswell <matt@openssl.org> 2016-12-05 14:58:51 +0000
committer: Matt Caswell <matt@openssl.org> 2017-01-10 23:02:50 +0000
commit: 3f305a80e9a449a1c8671f387ac3e0575dfdd9bf (patch)
tree: 011b4952accb438870cf3730927505135af99c6e /ssl/ssl_lib.c
parent: 684b16953b1c81d77990849533aa723b6a955ecd (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 58873456c8..21ea2843f7 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2823,6 +2823,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 static int ssl_get_server_cert_index(const SSL *s)
 {
     int idx;
+
+    /*
+     * TODO(TLS1.3): In TLS1.3 the selected certificate is not based on the
+     * ciphersuite. For now though it still is. Our only TLS1.3 ciphersuite
+     * forces the use of an RSA cert. This will need to change.
+     */
     idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
     if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
         idx = SSL_PKEY_RSA_SIGN;
author	Matt Caswell <matt@openssl.org>	2016-12-05 14:58:51 +0000
committer	Matt Caswell <matt@openssl.org>	2017-01-10 23:02:50 +0000
commit	3f305a80e9a449a1c8671f387ac3e0575dfdd9bf (patch)
tree	011b4952accb438870cf3730927505135af99c6e /ssl/ssl_lib.c
parent	684b16953b1c81d77990849533aa723b6a955ecd (diff)