Another renegotiation patch

Tomas Hoger thoger at
Thu Feb 25 11:38:17 CET 2010

On Wed, 24 Feb 2010 17:06:48 +0100 Tomas Hoger <thoger at>

> It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
> (client), which is required by RFC 5746, 4.1.  Though I'm wondering if
> this is the right place to generate this alert.  If gnutls-serv
> refuses initial connection from the unpatched client,
> HANDSHAKE_FAILURE alert is generated, but it's from application
> rather than library.  Should those alerts be generated by
> applications or library?

Related to this... gnutls-cli currently does not break connection and
exit when handshake error occurs during server-requested renegotiation
(check_rehandshake() only prints rehandshake result).

This can be tested as:

$ gnutls-cli -p 666
- Simple Client Mode:

GET /otherciphers/ HTTP/1.0

*** Non fatal error: Rehandshake was requested by the peer.
*** Received rehandshake request
*** Fatal error: Safe renegotiation failed.
*** Rehandshake Failed.

No handshake_failure alert is sent, connection is not terminated.


More information about the Gnutls-devel mailing list