[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Another renegotiation patch
From: |
Tomas Hoger |
Subject: |
Re: Another renegotiation patch |
Date: |
Thu, 18 Feb 2010 12:52:41 +0100 |
Hi Simon!
On Thu, 18 Feb 2010 09:19:06 +0100 Simon Josefsson
<address@hidden> wrote:
> Steve, Nikos, are you happy with the safe renegotiation implementation
> in git master now? Do we have complete self-tests of this? Is it
> documented? Has there been any interop testing with other
> implementations? Any other concerns I should be aware of?
Few quick observations:
- GnuTLS prefers RI to SCSV unless using SSL.3.0. New OpenSSL (and
afaik NSS too) use SCSV in the initial client hellos even for TLS, to
play more nicely with broken TLS servers that choke on TLS
extensions.
- gnutls-cli invoked with --disable-extensions still sends hello with
extensions.
- gnutls-cli fails to connect to servers not implementing RFC 5746.
While this is required to fully address the issue on the client side,
it's likely to cause major issues in short term. gnutls-cli(1)
suggests safe initial negotiation should not be required by default
(see %INITIAL_SAFE_RENEGOTIATION), %UNSAFE_RENEGOTIATION is required
to connect.
Note: Both OpenSSL and NSS will not require safe initial negotiation
yet for interoperability reasons.
- %INITIAL_SAFE_RENEGOTIATION name is somewhat confusing (renegotiation
vs. negotiation).
- %INITIAL_SAFE_RENEGOTIATION defaults are not documented properly (see
client concern above).
- I'd consider clarifying %DISABLE_SAFE_RENEGOTIATION description too.
HTH
th.
- Re: Another renegotiation patch, Simon Josefsson, 2010/02/18
- Re: Another renegotiation patch,
Tomas Hoger <=
- Re: Another renegotiation patch, Simon Josefsson, 2010/02/18
- Re: Another renegotiation patch, Tomas Hoger, 2010/02/18
- Re: Another renegotiation patch, Nikos Mavrogiannopoulos, 2010/02/21
- Re: Another renegotiation patch, Tomas Hoger, 2010/02/24
- Re: Another renegotiation patch, Tomas Hoger, 2010/02/25
- Re: Another renegotiation patch, Nikos Mavrogiannopoulos, 2010/02/26
- Re: Another renegotiation patch, Tomas Hoger, 2010/02/27
- Re: Another renegotiation patch, Nikos Mavrogiannopoulos, 2010/02/26
- Re: Another renegotiation patch, Tomas Hoger, 2010/02/27