TLS Renegotiation problem
simon at josefsson.org
Tue Nov 10 09:55:52 CET 2009
Simon Josefsson <simon at josefsson.org> writes:
> For example, the mod_gnutls Apache plugin does not support renegotiation
> so there is no problem with it (this was the main case that I were
> concerned with):
Other servers that use GnuTLS is Exim4 and GNU Mailutils. I checked the
sources and cannot find any place where they performs TLS renegotiation.
So as far as I can tell, they are safe too.
(Of course, this assume that it is even possible to exploit this problem
with SMTP/IMAP/POP3 which I haven't seen explained yet.)
What other popular servers use GnuTLS?
Is there _any_ GnuTLS server that is vulnerable? Not even our
gnutls-serv appears to support renegotiation as far as I can tell.
More information about the Gnutls-devel