[Help-gnutls] GNUTLS in handshake procedure
John Brooks
aspecialj at gmail.com
Sun Sep 14 18:40:26 CEST 2008
As long as the handshake is called in the proper order (client must
speak first, which means client must initiate the handshake), it
doesn't matter when that happens during a connection's lifetime. The
server does need to be expecting it, or it would try to handle the
data normally instead of passing it to gnutls for handshaking.
Provided both ends are expecting it when it happens, and the client
goes first, you won't have any problems.
This is generally referred to as 'starttls'; it's a great way to
support both SSL and non-SSL connections, but care needs to be taken
to avoid MITM attacks stripping the SSL (for example, an attacker
faking a response from the server stating that SSL is not supported,
to force your connection to remain unencrypted), and to ensure that
nothing private is sent before the SSL connection starts.
- John Brooks
On Sun, Sep 14, 2008 at 6:06 AM, Lennart Koopmann <lennart at scopeport.org> wrote:
> Hello everyone,
>
> i am using GNUTLS in a server i am currently writing on. I am planning
> to implement a handshaking procedure:
>
> 1. Client requests TLS or non-TLS encryption.
> 2. Server responds if packets are accepted and if TLS is available.
> 3. Client sends data corresponding to reply from server.
>
> Can i just place the gnutls_handshake() when TLS is available and client
> chose to use TLS? Could there be sync problem because gnutls_handshake()
> is not the first thing that is done in the socket
> connection/conversation?
>
> Please, i need your experience. :)
>
> Thank you!
>
> So long
> Lennart
>
>
>
> _______________________________________________
> Help-gnutls mailing list
> Help-gnutls at gnu.org
> http://lists.gnu.org/mailman/listinfo/help-gnutls
>
More information about the Gnutls-help
mailing list