[gnutls-help] [gnutls-devel] higher level session API?
nmav at gnutls.org
Sat Jan 19 13:56:12 CET 2013
On 01/18/2013 11:04 AM, Alfredo Pironti wrote:
> One issue I see, is what happen to the buffered data if a
> (re)handshake takes place. Potentially, this changes the ciphersuite
> and the peer's identity. Safe renegotiation ensures the next
> ciphersuite and peer's identity have been negotiated with the previous
> peer, but the application may not want to send the remaining buffered
> data to the new peer with the new (potentially less secure)
Indeed, the higher level functions should either prohibit rehandshake,
or only allow it when safe renegotiation is supported by both.
About a potentially less secure ciphersuite, I think that the actual
security level of the session is set by the initial priority string.
That is, the weakest algorithm in that list should be assumed to be the
security level. A renegotiation couldn't reduce that level.
More information about the Gnutls-help