safe renegotiation bug?
simon at josefsson.org
Tue Jun 1 16:25:48 CEST 2010
Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> Simon Josefsson wrote:
>>>> What do you think about this approach?
>>> As a concept I agree... The only problem might be that
>>> %PARTIAL_RENEGOTIATION might be misleading in client side because it
>>> doesn't really protect from the https renegotiation attack, but this can
>>> be made clear in the documentation. I'll try to check it today.
>> Right, PARTIAL_RENEGOTIATION is the trade-off approach that is
>> vulnerable to some attacks but at least allows interop to happen. I
>> think we have some good warning material in the manual already for this.
>> It would be great if you could make modifications to make this happen.
>> I can update the self tests to make sure it is working as we want it to.
>> Alas I'll be travelling in the next few days, but I'll have some
>> connectivity and can do a 2.9.11 release.
> Should be ok now. I needed to make some changes in srn5 in order to
> work. Please check them because I might have not understand what it
> does. It might be better to have a small text that documents what each
> srn?.c is testing for. Otherwise if it fails it is difficult to
> understand why and what went wrong.
Thanks! I'll take a look later this week -- there is
tests/safe-rengotiation/README which attempts to describe the tests, but
it may not be completely updated.
It may be that some of the srn?.c tests are not relevant any more.
More information about the Gnutls-devel