TLS Renegotiation problem

Simon Josefsson simon at josefsson.org
Mon Nov 9 16:19:50 CET 2009


As you may have heard, people how found out how to attack TLS as used in
many application protocols.  For more info see:

http://www.ietf.org/id/draft-rescorla-tls-renegotiation-00.txt
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://extendedsubset.com/
http://www.imperialviolet.org/2009/11/05/tls-reneg.html

It is important to understand that you are not vulnerable unless you use
renegotiation, which is not typical.  If you use renegotiation, perhaps
to request client certificates in a web server, the simplest "fix" is to
disable any use of renegotiation.  You don't need to do this if your
application protocol is robust -- for example XMPP/Jabber appears to be
robust against the problem.  HTTPS is not robust.

There is work ongoing to specify a new extension to make TLS
renegotiation safe against this attack, and hopefully GnuTLS will
support it soon.  Patches have been published in
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3944 but
not yet tested or verified, and the IETF/IANA has not allocated a TLS
extension number for it yet either.

/Simon





More information about the Gnutls-help mailing list