TLS Renegotiation problem

Simon Josefsson simon at josefsson.org
Tue Nov 10 09:55:52 CET 2009


Simon Josefsson <simon at josefsson.org> writes:

> For example, the mod_gnutls Apache plugin does not support renegotiation
> so there is no problem with it (this was the main case that I were
> concerned with):

Other servers that use GnuTLS is Exim4 and GNU Mailutils.  I checked the
sources and cannot find any place where they performs TLS renegotiation.
So as far as I can tell, they are safe too.

(Of course, this assume that it is even possible to exploit this problem
with SMTP/IMAP/POP3 which I haven't seen explained yet.)

What other popular servers use GnuTLS?

Is there _any_ GnuTLS server that is vulnerable?  Not even our
gnutls-serv appears to support renegotiation as far as I can tell.

/Simon





More information about the Gnutls-help mailing list