Another renegotiation patch
nmav at gnutls.org
Fri Feb 26 18:58:17 CET 2010
Tomas Hoger wrote:
> On Thu, 18 Feb 2010 15:04:55 +0100 Tomas Hoger <thoger at redhat.com>
>> Looks like the current behavior is intentional:
> Can you have a look at the attached diff. It moves GNUTLS_CLIENT test,
> so that the "Allowing/Denying unsafe initial negotiation" message is
> logged instead of "Allowing/Denying unsafe renegotiation" on initial
> client connection.
Hmmm... actually a client cannot tell if it is a renegotiation or an
initial connection. That's why this message is there.
> It also add HANDSHAKE_FAILURE alert for unsafe initial negotiation
> (client), which is required by RFC 5746, 4.1. Though I'm wondering if
> this is the right place to generate this alert. If gnutls-serv refuses
> initial connection from the unpatched client, HANDSHAKE_FAILURE alert
> is generated, but it's from application rather than library. Should
> those alerts be generated by applications or library?
Alerts are send by the application using gnutls_alert_send_appropriate()
- or gnutls_alert_send().
> I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
> gnutls-cli.1 (always enforced) and mention client/server defaults in
> gnutls_priority_init.3. Should I try submitting changes proposal?
It is now always enforced but will not be the default after the
renegotiation protection is common practice.
More information about the Gnutls-devel