safe renegotiation bug?

Simon Josefsson simon at josefsson.org
Tue Jun 1 16:25:48 CEST 2010


Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Simon Josefsson wrote:
>
>>>> What do you think about this approach?
>>> As a concept I agree... The only problem might be that
>>> %PARTIAL_RENEGOTIATION might be misleading in client side because it
>>> doesn't really protect from the https renegotiation attack, but this can
>>> be made clear in the documentation. I'll try to check it today.
>> 
>> Right, PARTIAL_RENEGOTIATION is the trade-off approach that is
>> vulnerable to some attacks but at least allows interop to happen.  I
>> think we have some good warning material in the manual already for this.
>> 
>> It would be great if you could make modifications to make this happen.
>> I can update the self tests to make sure it is working as we want it to.
>> Alas I'll be travelling in the next few days, but I'll have some
>> connectivity and can do a 2.9.11 release.
>
> Should be ok now. I needed to make some changes in srn5 in order to
> work. Please check them because I might have not understand what it
> does. It might be better to have a small text that documents what each
> srn?.c is testing for. Otherwise if it fails it is difficult to
> understand why and what went wrong.

Thanks!  I'll take a look later this week -- there is
tests/safe-rengotiation/README which attempts to describe the tests, but
it may not be completely updated.

It may be that some of the srn?.c tests are not relevant any more.

/Simon




More information about the Gnutls-devel mailing list