Another renegotiation patch
nmav at gnutls.org
Wed Mar 3 11:52:33 CET 2010
Tomas Hoger wrote:
> Hi Nikos!
> On Fri, 26 Feb 2010 18:58:17 +0100 Nikos Mavrogiannopoulos wrote:
>>> Can you have a look at the attached diff. It moves GNUTLS_CLIENT
>>> test, so that the "Allowing/Denying unsafe initial negotiation"
>>> message is logged instead of "Allowing/Denying unsafe
>>> renegotiation" on initial client connection.
>> Hmmm... actually a client cannot tell if it is a renegotiation or an
>> initial connection. That's why this message is there.
> Client can't tell if server sees that negotiation as initial or
> rehandshake, but it's initial negotiation as seen by client. Moving
> the entity == client check a bit just changes a gnutls debug message
> and causes client not to send no_renegotiation warning.
You are right here, on the warning alert. I've committed a fix on that.
>>> I'd also consider removing %INITIAL_SAFE_RENEGOTIATION from
>>> gnutls-cli.1 (always enforced) and mention client/server defaults in
>>> gnutls_priority_init.3. Should I try submitting changes proposal?
>> It is now always enforced but will not be the default after the
>> renegotiation protection is common practice.
> May I ask why? The current default is to be strict on client side
> regardless of the interoprability issues with unupgraded servers. Why
> should the default change in the future to the less strict one, even
> though fewer servers are expected to require it at that time?
I must have been misunderstood. The strict default on the client will
stay as is in the future. The server behavior that is permissive to old
clients might change in the future.
More information about the Gnutls-devel