TLS Renegotiation problem
Simon Josefsson
simon at josefsson.org
Tue Nov 10 12:29:04 CET 2009
Tomas Hoger <thoger at redhat.com> writes:
> On Tue, Nov 10, 2009 at 09:55:52AM +0100, Simon Josefsson wrote:
>> What other popular servers use GnuTLS?
>
> CUPS and libvirt(d). No GNUTLS_E_REHANDSHAKE in their sources, client
> requested renegotiations seem to fail.
Thanks for checking. So to summarize, so far the following servers
appears to not be affected by this problem when used with GnuTLS:
gnutls-serv
mod_gnutls
exim4
mailutils
CUPS
libvirtd
If the servers are linked with OpenSSL I don't know if they are
vulnerable or not, it would depend on whether OpenSSL perform
renegotiation without application interaction. So make sure they are
linked to GnuTLS before declaring victory.
I think we now have some evidence to suggest GnuTLS needn't do anything
about this. It seems any use of rehandshake with GnuTLS is
application-specific and then the answer is probably to fix that
application instead of GnuTLS. Any more insight or thoughts on this is
welcome.
What GnuTLS needs to do, though, is to have a discussion of the issue in
the manual where renegotiation is discussed, so application writers are
aware of the problem.
/Simon
More information about the Gnutls-devel
mailing list