gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: safe renegotiation


From: Tomas Hoger
Subject: Re: safe renegotiation
Date: Thu, 29 Apr 2010 13:57:45 +0200

On Thu, 29 Apr 2010 11:02:14 +0200 Nikos Mavrogiannopoulos wrote:

> This will actually harm mod_gnutls. Renegotiation is a common issue in
> HTTPS (for upgrading authentication using a certificate for certain
> locations).

Client certificate authentication should really be the only common use
case where renegotiation is really required with https.

> If people notice that no clients can connect on their servers will
> either install an older version of gnutls that "works" or just go to
> mod_ssl.

Anyone who goes to mod_ssl or mod_nss will face the same issue when
using new OpenSSL or NSS, as they both reject renegotiation with
unpatched clients.

mod_ssl got new config directive - SSLInsecureRenegotiation [1] -
allowing admins to let old clients renegotiate.  For mod_nss, you can
set NSS_SSL_ENABLE_RENEGOTIATION [2] environment variable to achieve
the similar result.  If mod_gnutls already has directive for setting
priority string, it can be an easy way to revert back to insecure
renegotiation for those who need it.

[1]
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation
[2]
https://developer.mozilla.org/NSS_3.12.6_release_notes

th.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]