Another renegotiation patch
thoger at redhat.com
Thu Feb 25 11:38:17 CET 2010
On Wed, 24 Feb 2010 17:06:48 +0100 Tomas Hoger <thoger at redhat.com>
> It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
> (client), which is required by RFC 5746, 4.1. Though I'm wondering if
> this is the right place to generate this alert. If gnutls-serv
> refuses initial connection from the unpatched client,
> HANDSHAKE_FAILURE alert is generated, but it's from application
> rather than library. Should those alerts be generated by
> applications or library?
Related to this... gnutls-cli currently does not break connection and
exit when handshake error occurs during server-requested renegotiation
(check_rehandshake() only prints rehandshake result).
This can be tested as:
$ gnutls-cli -p 666 ssltls.de
- Simple Client Mode:
GET /otherciphers/ HTTP/1.0
*** Non fatal error: Rehandshake was requested by the peer.
*** Received rehandshake request
*** Fatal error: Safe renegotiation failed.
*** Rehandshake Failed.
No handshake_failure alert is sent, connection is not terminated.
More information about the Gnutls-devel