TLS Renegotiation problem

Tomas Hoger thoger at redhat.com
Wed Nov 18 19:28:52 CET 2009


On Tue, 17 Nov 2009 11:32:46 +0100 Simon Josefsson
<simon at josefsson.org> wrote:

> > In GnuTLS, rehandshaking needs to be done explicitly by servers when
> > they get the GNUTLS_E_REHANDSHAKE error back from
> > gnutls_record_recv. If servers don't call gnutls_handshake when
> > that happens, there is no problem.  So people can check their
> > applications if they are vulnerable to this problem.
> 
> For everyone's information, searching for "GNUTLS_E_REHANDSHAKE" in
> code is not be sufficient: that only takes care of the situation
> where the local client reacts on a renegotiation request from the
> remote server.
> 
> You also have to search for "gnutls_rehandshake" to take care of the
> situation where the local server initiates the renegotiation request.

I did a search for that in Red Hat Enterprise Linux sources and I've
not found anything using it.  Google codesearch finds it in mod_gnutls
though.  From a 30sec look, it may be using it in similar cases as
mod_ssl / mod_nss.

th.





More information about the Gnutls-devel mailing list