Re: Another renegotiation patch

[Nikos Mavrogiannopoulos]

Tomas Hoger wrote:
> On Thu, 18 Feb 2010 15:04:55 +0100 Tomas Hoger <address@hidden>
> wrote:
> 
>> Looks like the current behavior is intentional:
>>
>> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2a10542bf8f7cfbd5e6a4b17c8d502133da93fc5
> 
> Can you have a look at the attached diff.  It moves GNUTLS_CLIENT test,
> so that the "Allowing/Denying unsafe initial negotiation" message is
> logged instead of "Allowing/Denying unsafe renegotiation" on initial
> client connection.

Hmmm... actually a client cannot tell if it is a renegotiation or an
initial connection. That's why this message is there.


> It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
> (client), which is required by RFC 5746, 4.1.  Though I'm wondering if
> this is the right place to generate this alert.  If gnutls-serv refuses
> initial connection from the unpatched client, HANDSHAKE_FAILURE alert
> is generated, but it's from application rather than library.  Should
> those alerts be generated by applications or library?

Alerts are send by the application using gnutls_alert_send_appropriate()
- or gnutls_alert_send().

> 
> I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
> gnutls-cli.1 (always enforced) and mention client/server defaults in
> gnutls_priority_init.3.  Should I try submitting changes proposal?

It is now always enforced but will not be the default after the
renegotiation protection is common practice.


regards,
Nikos