[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another renegotiation patch

From: Nikos Mavrogiannopoulos
Subject: Re: Another renegotiation patch
Date: Fri, 26 Feb 2010 18:58:17 +0100
User-agent: Thunderbird (X11/20090817)

Tomas Hoger wrote:
> On Thu, 18 Feb 2010 15:04:55 +0100 Tomas Hoger <address@hidden>
> wrote:
>> Looks like the current behavior is intentional:
> Can you have a look at the attached diff.  It moves GNUTLS_CLIENT test,
> so that the "Allowing/Denying unsafe initial negotiation" message is
> logged instead of "Allowing/Denying unsafe renegotiation" on initial
> client connection.

Hmmm... actually a client cannot tell if it is a renegotiation or an
initial connection. That's why this message is there.

> It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
> (client), which is required by RFC 5746, 4.1.  Though I'm wondering if
> this is the right place to generate this alert.  If gnutls-serv refuses
> initial connection from the unpatched client, HANDSHAKE_FAILURE alert
> is generated, but it's from application rather than library.  Should
> those alerts be generated by applications or library?

Alerts are send by the application using gnutls_alert_send_appropriate()
- or gnutls_alert_send().

> I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
> gnutls-cli.1 (always enforced) and mention client/server defaults in
> gnutls_priority_init.3.  Should I try submitting changes proposal?

It is now always enforced but will not be the default after the
renegotiation protection is common practice.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]