safe renegotiation
Tomas Hoger
thoger at redhat.com
Thu Apr 29 13:57:45 CEST 2010
On Thu, 29 Apr 2010 11:02:14 +0200 Nikos Mavrogiannopoulos wrote:
> This will actually harm mod_gnutls. Renegotiation is a common issue in
> HTTPS (for upgrading authentication using a certificate for certain
> locations).
Client certificate authentication should really be the only common use
case where renegotiation is really required with https.
> If people notice that no clients can connect on their servers will
> either install an older version of gnutls that "works" or just go to
> mod_ssl.
Anyone who goes to mod_ssl or mod_nss will face the same issue when
using new OpenSSL or NSS, as they both reject renegotiation with
unpatched clients.
mod_ssl got new config directive - SSLInsecureRenegotiation [1] -
allowing admins to let old clients renegotiate. For mod_nss, you can
set NSS_SSL_ENABLE_RENEGOTIATION [2] environment variable to achieve
the similar result. If mod_gnutls already has directive for setting
priority string, it can be an easy way to revert back to insecure
renegotiation for those who need it.
[1]
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation
[2]
https://developer.mozilla.org/NSS_3.12.6_release_notes
th.
More information about the Gnutls-devel
mailing list