Safe renegotiation patch
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Jan 11 23:11:44 CET 2010
Steve Dispensa wrote:
>> Why this one is needed? Shouldn't all initial negotiations be accepted
>> and fail only if renegotiation
>> is requested? I believe this was the behavior of your previous patch.
>
> A totally strict server may not want to allow unpatched clients, since
> those clients are unable to tell if they're being attacked. I defaulted
> it to off to be conservative from a security perspective.
I understand. However this will make the new release non-interoperable
with anything else existing. Thus for now I believe this should be
allowed and at a later point that secure renegotiation is common
practice that should be by default off.
regards,
Nikos
More information about the Gnutls-devel
mailing list