[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS Renegotiation problem
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: TLS Renegotiation problem |
|
Date: |
Mon, 09 Nov 2009 13:01:23 -0500 |
|
User-agent: |
Mozilla-Thunderbird 2.0.0.22 (X11/20090701) |
On 11/09/2009 10:19 AM, Simon Josefsson wrote:
> It is important to understand that you are not vulnerable unless you use
> renegotiation, which is not typical. If you use renegotiation, perhaps
> to request client certificates in a web server, the simplest "fix" is to
> disable any use of renegotiation.
My understanding is that the published attacks are undetectable from the
client-side without the use of the newly-proposed extension. So barring
that extension, it seems that that the protective workaround you
describe (disabling renegotiation) needs to be done on the server side.
Is there a way that this can be done generically with GnuTLS (e.g. a
priority string, which could conceivably be passed into gnutls by an
administrator without needing a rebuild), or should the server simply
avoid calling gnutls_handshake() more than once per session?
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
- TLS Renegotiation problem, Simon Josefsson, 2009/11/09
- Re: TLS Renegotiation problem,
Daniel Kahn Gillmor <=
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Message not available
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Tomas Hoger, 2009/11/10
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Florian Weimer, 2009/11/10
- Re: TLS Renegotiation problem, Tomas Hoger, 2009/11/11
- Message not available
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/17
- Re: TLS Renegotiation problem, Tomas Hoger, 2009/11/18