safe renegotiation in client side

Simon Josefsson simon at josefsson.org
Thu Apr 29 10:10:07 CEST 2010


Tomas Mraz <tmraz at redhat.com> writes:

> On Mon, 2010-03-15 at 21:46 +0100, Nikos Mavrogiannopoulos wrote: 
>> As you may have noticed there was a big fuss lately about a bug in the
>> TLS protocol that could cause a client to connect to the wrong server
>> via a renegotiation. There is a fix to the protocol that is
>> unfortunately incompatible with previous versions (if security is
>> required). Thus a gnutls client implementing the fix cannot connect to
>> any non-patched server[0]. To achieve compatibility one has to to
>> explicitly allow unsafe renegotiation with a priority string. This is
>> not always possible since gnutls might be used unintentionally by a
>> program via another library.
>> 
>> With some trials in my system I noticed that the current behavior causes
>> denial of service and a simple user might not even have control over the
>> priority string for gnutls.
>> 
>> Given your experiences (as system packager, user, implementor or so),
>> what do you think is the adoption of priority strings in programs? Given
>> a program that uses gnutls is it easy to set a string with the
>> algorithms etc. needed for the negotiation?
>
> The OpenSSL upstream decided to allow the client to talk to the
> unpatched servers by default. Of course it means that if the client
> talks to such server it is vulnerable to the attack. They've also added
> a function call so an application can query whether the connection is
> protected by the safe renegotiation or not.

GnuTLS will behave the same.

> I, as maintainer of OpenSSL and gnutls packages in Fedora and Red Hat
> Enterprise Linux, decided when backporting the safe renegotiation
> patches to the old gnutls packages in released distributions, that the
> client has to be tolerant to missing safe renegotiation support on
> connected servers for now and so I have removed the strict client side
> check from the backported patches. If the adoption of the safe
> renegotiation extension gets better, we will release updated packages
> which will contain the strict client side check.

What is your opinion on whether servers should refuse renegotiation
attempts from clients that doesn't support the extension?

/Simon





More information about the Gnutls-devel mailing list