simon at josefsson.org
Thu Apr 29 12:32:40 CEST 2010
Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> On Thu, Apr 29, 2010 at 10:16 AM, Simon Josefsson <simon at josefsson.org> wrote:
>> I've tested the safe renegotiation stuff a bit more, and I believe we
>> could tweak the defaults to make them slightly more secure: let
>> %SAFE_RENEGOTIATION be the default for servers.
>> This means that servers will refuse to RE-negotiate against clients that
>> does not support the extension.
>> The odd package is mod_gnutls for Apache, but it exposes a priority
>> string interface to the administrator, thus allowing them to override
>> the behaviour easily -- however we should recommend that they don't,
>> because it is really insecure.
> This will actually harm mod_gnutls. Renegotiation is a common issue in
> HTTPS (for upgrading authentication using a certificate for certain
It is not used frequently though, and it is vulnerable to attack.
My main point is that mod_gnutls may 1) document this problem and
suggesting people to use %UNSAFE_RENEGOTIATION in the docstring, or even
2) use %UNSAFE_RENEGOTIATION by default if no other priority string is
> If people notice that no clients can connect on their servers will
> either install an older version of gnutls that "works" or just go to
> mod_ssl. Moreover it is problematic in the sense that an administrator
> might not detect at all that his site is inaccessible and only find
> out after losing customers or so. I think that fixing a security issue
> but as a side-effect causing serious issues in interoperability with
> old software is a recipe for people to move out of your software
> (intel never managed to get rid of x86, and I don't think we can
> afford it).
> Let's be conservative and wait. This issue proved not to be that
> important in the internet (not many people upgraded because of this).
According to Tomas, OpenSSL protect against this. If that is the case,
I think the answer is simple: we should do the same.
More information about the Gnutls-devel