Safe renegotiation patch

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Safe renegotiation patch

From:	Steve Dispensa
Subject:	Safe renegotiation patch
Date:	Mon, 11 Jan 2010 08:46:11 -0600

All,

I've updated the patch I initially submitted to conform to the new renegotiation draft. It's building and working, and I'm starting interoperability testing today. I hope to have something to post to the list for review in the next day or two.

I wanted to run a couple of decisions by the group as to how this should work. I've modified GNUTLS to always send (only) the RI extension for TLS1+, and to send SCSV for SSLv3 initial client hellos. All other SSLv3 hellos use the extension, as required by the draft. Does that make sense? I'd be glad to explain my reasoning if you'd like.

Also, I'm providing three API's:
- gnutls_allow_unsafe_renegotiation - allows for "lenient" mode, where we'll agree to talk to a peer that doesn't indicate support for safe renegotiation

- gnutls_allow_unsafe_initial_negotiation - allows servers to talk to a client that doesn't indicate support for safe renegotiation only as long as the client doesn't attempt to renegotiate (but drops the connection on any renegotiation attempt)

Both default to off.

Thoughts?

Thanks.

-Steve

[Prev in Thread]

Current Thread

[Next in Thread]

Safe renegotiation patch, Steve Dispensa <=
- Re: Safe renegotiation patch, Nikos Mavrogiannopoulos, 2010/01/11
  - Re: Safe renegotiation patch, Steve Dispensa, 2010/01/11
    - Re: Safe renegotiation patch, Nikos Mavrogiannopoulos, 2010/01/11

Prev by Date: getting a godaddy cert using certtool
Next by Date: Re: Safe renegotiation patch
Previous by thread: getting a godaddy cert using certtool
Next by thread: Re: Safe renegotiation patch
Index(es):
- Date
- Thread