Another renegotiation patch
thoger at redhat.com
Wed Feb 24 17:06:48 CET 2010
On Thu, 18 Feb 2010 15:04:55 +0100 Tomas Hoger <thoger at redhat.com>
> Looks like the current behavior is intentional:
Can you have a look at the attached diff. It moves GNUTLS_CLIENT test,
so that the "Allowing/Denying unsafe initial negotiation" message is
logged instead of "Allowing/Denying unsafe renegotiation" on initial
It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
(client), which is required by RFC 5746, 4.1. Though I'm wondering if
this is the right place to generate this alert. If gnutls-serv refuses
initial connection from the unpatched client, HANDSHAKE_FAILURE alert
is generated, but it's from application rather than library. Should
those alerts be generated by applications or library?
I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
gnutls-cli.1 (always enforced) and mention client/server defaults in
gnutls_priority_init.3. Should I try submitting changes proposal?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1500 bytes
Desc: not available
More information about the Gnutls-devel