gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: safe renegotiation bug?

From: Simon Josefsson
Subject: Re: safe renegotiation bug?
Date: Fri, 28 May 2010 09:07:50 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) 
Nikos Mavrogiannopoulos <address@hidden> writes:

> Simon Josefsson wrote:
>> Nikos Mavrogiannopoulos <address@hidden> writes:
>> 
>>> Simon Josefsson wrote:
>>>> I have added tests/safe-renegotiation/srn5.c in which a client with
>>>> support for safe reneg connect to a server without support for safe
>>>> reneg.  The handshake succeeds (as expected), however the call to
>>>> gnutls_safe_renegotiation_status in the server, after the handshake,
>>>> indicates that the session is using safe renegotiation -- this seems
>>>> like a bug to me.  Nikos/Steve, could you take a look?
>>> Should be ok now. I get aborts in the srn5 but they seem intended?
>> 
>> I fixed that now -- however it seems there is another problem, now the
>> rehandshake succeeds against a server that doesn't support safe
>> renegotiation.  The second handshake in srn5 should fail, shouldn't it?
>
> By default server is on unsafe renegotiation mode and doesn't require
> any of the extensions, either on the first or subsequent negotiations.
> Disallowing rengotiations after this point for the client shouldn't
> offer any advantage since you are already connected securely to a peer.

But this self tests is with a server that has safe renegotiation
disabled, see tests/safe-renegotiation/srn5.c.

The client by default permits connections, but I don't think clients
should (by default) allow renegotiation against such servers.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]